diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 1aa5fa5..62c41ca 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,69 +1,2 @@ -# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners - -/docs/ @ZachChristensen28 @ZachTheSplunker - -# This is a comment. -# Each line is a file pattern followed by one or more owners. - -# These owners will be the default owners for everything in -# the repo. Unless a later match takes precedence, -# @global-owner1 and @global-owner2 will be requested for -# review when someone opens a pull request. -#* @global-owner1 @global-owner2 - -# Order is important; the last matching pattern takes the most -# precedence. When someone opens a pull request that only -# modifies JS files, only @js-owner and not the global -# owner(s) will be requested for a review. -#*.js @js-owner #This is an inline comment. - -# You can also use email addresses if you prefer. They'll be -# used to look up users just like we do for commit author -# emails. -#*.go docs@example.com - -# Teams can be specified as code owners as well. Teams should -# be identified in the format @org/team-name. Teams must have -# explicit write access to the repository. In this example, -# the octocats team in the octo-org organization owns all .txt files. -#*.txt @octo-org/octocats - -# In this example, @doctocat owns any files in the build/logs -# directory at the root of the repository and any of its -# subdirectories. -#/build/logs/ @doctocat - -# The `docs/*` pattern will match files like -# `docs/getting-started.md` but not further nested files like -# `docs/build-app/troubleshooting.md`. -#docs/* docs@example.com - -# In this example, @octocat owns any file in an apps directory -# anywhere in your repository. -#apps/ @octocat - -# In this example, @doctocat owns any file in the `/docs` -# directory in the root of your repository and any of its -# subdirectories. -#/docs/ @doctocat - -# In this example, any change inside the `/scripts` directory -# will require approval from @doctocat or @octocat. -#/scripts/ @doctocat @octocat - -# In this example, @octocat owns any file in a `/logs` directory such as -# `/build/logs`, `/scripts/logs`, and `/deeply/nested/logs`. Any changes -# in a `/logs` directory will require approval from @octocat. -#**/logs @octocat - -# In this example, @octocat owns any file in the `/apps` -# directory in the root of your repository except for the `/apps/github` -# subdirectory, as its owners are left empty. -#/apps/ @octocat -#/apps/github - -# In this example, @octocat owns any file in the `/apps` -# directory in the root of your repository except for the `/apps/github` -# subdirectory, as this subdirectory has its own owner @doctocat -#/apps/ @octocat -#/apps/github @doctocat \ No newline at end of file +* @ZachChristensen28 @ZachTheSplunker +/src/ @noodletoad \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/01-bug-report.yml b/.github/ISSUE_TEMPLATE/01-bug-report.yml index 35311a6..e7e56a8 100644 --- a/.github/ISSUE_TEMPLATE/01-bug-report.yml +++ b/.github/ISSUE_TEMPLATE/01-bug-report.yml @@ -20,12 +20,12 @@ body: label: Related links description: >- Please list all links to the sections of - [the documentation](#TODO) that + [the documentation](https://cs-intel.rba.community/) that are relevant to the bug in order to show that you have consulted and thoroughly read it. Additionally, list links to possibly related open - and closed [issues](#TODO). + and closed [issues](https://github.com/rba-community/SA-CrowdstrikeIntelIndicators/issues). value: |- - - [Example Issue](#TODO) + - [Example Issue](https://github.com/rba-community/SA-CrowdstrikeIntelIndicators/issues) - validations: required: true @@ -33,20 +33,20 @@ body: - type: input id: sa-version attributes: - label: #TODO Version + label: SA-CrowdstrikeIntelIndicators Version description: >- - Which version of this add-on (#TODO) are you using? + Which version of this add-on (SA-CrowdstrikeIntelIndicators) are you using? placeholder: |- 1.0.0 - type: input id: ta-version attributes: - label: #TODO Add-on Version + label: CrowdStrike Intel Indicator TA Version description: >- - Which version of the [#TODO](#TODO) are you using? + Which version of the [CrowdStrike Intel Indicator TA](https://splunkbase.splunk.com/app/5083) are you using? placeholder: |- - 1.3.2 + 3.1.2 validations: required: true diff --git a/.github/ISSUE_TEMPLATE/02-docs-issue.yml b/.github/ISSUE_TEMPLATE/02-docs-issue.yml index caff3d3..9104f09 100644 --- a/.github/ISSUE_TEMPLATE/02-docs-issue.yml +++ b/.github/ISSUE_TEMPLATE/02-docs-issue.yml @@ -8,7 +8,7 @@ body: attributes: label: Description description: >- - Please describe the issue found in the [documentation](#TODO) or an improvement that can be made. + Please describe the issue found in the [documentation](https://cs-intel.rba.community/) or an improvement that can be made. validations: required: true @@ -17,7 +17,7 @@ body: attributes: label: Related links description: >- - Please list all links to the sections of [our documentation](#TODO) that are impacted by the issue you described above. + Please list all links to the sections of [our documentation](https://cs-intel.rba.community/) that are impacted by the issue you described above. validations: required: true diff --git a/.github/ISSUE_TEMPLATE/03-feature-request.yml b/.github/ISSUE_TEMPLATE/03-feature-request.yml index efb944b..e1dbd68 100644 --- a/.github/ISSUE_TEMPLATE/03-feature-request.yml +++ b/.github/ISSUE_TEMPLATE/03-feature-request.yml @@ -19,8 +19,8 @@ body: attributes: label: Related links description: >- - (optional) Please list all links to open and closed [issues](#TODO) or to [documentation sections](#TODO) + (optional) Please list all links to open and closed [issues](https://github.com/rba-community/SA-CrowdstrikeIntelIndicators/issues) or to [documentation sections](https://cs-intel.rba.community/) that are relevant to your idea. value: |- - - [Feature Request](#TODO) + - [Feature Request](https://cs-intel.rba.community/) - \ No newline at end of file diff --git a/LICENSE b/LICENSE index 49862dc..b8e282e 100644 --- a/LICENSE +++ b/LICENSE @@ -186,7 +186,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [#TODO name of copyright owner] + Copyright 2023 Dennis Morton Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.md b/README.md index 989ad29..d553f8d 100644 --- a/README.md +++ b/README.md @@ -1,41 +1,39 @@ - - - - SA-#TODO - - -![GitHub](https://img.shields.io/github/license/rba-community/SA-#TODO) -[![Docs](https://github.com/rba-community/SA-#TODO/actions/workflows/docs.yml/badge.svg)](https://splunk-#TODO.ztsplunker.com/) -![Appinspect](https://github.com/rba-community/SA-#TODO/actions/workflows/appinspect.yml/badge.svg) -![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/rba-community/SA-#TODO) -[![Splunkbase App](https://img.shields.io/badge/Splunkbase-SA--#TODO-blue)](https://splunkbase.splunk.com/app/#TODO) +# SA-CrowdstrikeIntelIndicators for Enterprise Security + +![GitHub](https://img.shields.io/github/license/rba-community/SA-CrowdstrikeIntelIndicators) +[![Docs](https://github.com/rba-community/SA-CrowdstrikeIntelIndicators/actions/workflows/docs.yml/badge.svg)](https://cs-intel.rba.community/) +![Appinspect](https://github.com/rba-community/SA-CrowdstrikeIntelIndicators/actions/workflows/appinspect.yml/badge.svg) +![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/rba-community/SA-CrowdstrikeIntelIndicators) +[![Splunkbase App](https://img.shields.io/badge/Splunkbase-SA--CrowdstrikeIntelIndicators-blue)](https://splunkbase.splunk.com/app/#TODO) [![Splunk ES Compatibility](https://img.shields.io/badge/Splunk%20ES%20Compatibility-7.x%20|%206.x-success)](https://splunkbase.splunk.com/app/263) -[![#TODO TA Compatibility](https://img.shields.io/badge/#TODO%20TA%20Compatibility->=1.3.2-success)](https://splunkbase.splunk.com/app/#TODO) +[![CrowdStrike Intel Indicator TA Compatibility](https://img.shields.io/badge/CrowdStrike%20Indicator%20TA%20Compatibility->=3.1.2-success)](https://splunkbase.splunk.com/app/5083) ![Splunk Cloud Compatibility](https://img.shields.io/badge/Splunk%20Cloud%20Ready-Victoria%20|%20Classic-informational?logo=splunk) +[![Author LinkedIn](https://img.shields.io/badge/Author-Dennis%20Morton-blue?logo=linkedin)](https://www.linkedin.com/in/dennis-morton-627632/) -This supporting add-on comes with prebuilt content for #TODO InsightVM data to be easily used with Splunk Enterprise Security's Asset database. +This supporting add-on Adds CrowdStrike's intelligence indicators to Splunk Enterprise Security's threat framework. > ** This supporting add-on is only intended to work with Splunk Enterprise Security deployments ** ## Documentation -Full documentation can be found at [https://splunk-#TODO.ztsplunker.com](https://splunk-#TODO.ztsplunker.com). +Full documentation can be found at [https://cs-intel.rba.community](https://cs-intel.rba.community). ## Disclaimer -> *This Splunk Supporting Add-on is __not__ affiliated with [__#TODO__:icon-link-external:][#TODO]{ target="blank" } and is not sponsored or sanctioned by the #TODO team. Please visit [#TODO:icon-link-external:][#TODO]{ target="blank" } for more information about #TODO.* +> *This Splunk Supporting Add-on is __not__ affiliated with [__CrowdStrike, Inc.__][cs] and is not sponsored or sanctioned by the CrowdStrike team. Please visit [https://www.crowdstrike.com/][cs] for more information about CrowdStrike.* ## About Info | Description ------|---------- -SA-#TODO | 1.0.1 - [Splunkbase](https://splunkbase.splunk.com/app/#TODO) \| [GitHub](https://github.com/rba-community/SA-#TODO/releases) +SA-CrowdstrikeIntelIndicators | 1.0.0 - [Splunkbase](https://splunkbase.splunk.com/app/#TODO) \| [GitHub](https://github.com/rba-community/SA-CrowdstrikeIntelIndicators/releases) Splunk Enterprise Security Version (Required) | [7.x \| 6.x](https://splunkbase.splunk.com/app/263) -#TODO InsightVM Technology Add-On (Required) | [>=1.3.2](https://splunkbase.splunk.com/app/#TODO) +CrowdStrike Intel Indicators TA (Required) | [>=3.1.2](https://splunkbase.splunk.com/app/5083) Add-on has a web UI | No, this add-on does not contain views. +Author | [Dennis Morton](https://www.linkedin.com/in/dennis-morton-627632/) ## Issues or Feature Requests -Please open an issue or feature request on [Github](https://github.com/rba-community/SA-#TODO/issues). +Please open an issue or feature request on [Github](https://github.com/rba-community/SA-CrowdstrikeIntelIndicators/issues). -[#TODO]: https://www.#TODO.com/ \ No newline at end of file +[cs]: https://www.crowdstrike.com/ \ No newline at end of file diff --git a/docs/components/all-configurations.md b/docs/components/all-configurations.md deleted file mode 100644 index 93b8d01..0000000 --- a/docs/components/all-configurations.md +++ /dev/null @@ -1,21 +0,0 @@ -# All Configurations - -# TODO - DELETE THIS LINE - Example Only - -Below is a table that list all configuration for this add-on. - -Name | Type | Web Location | CLI Location\* | Description ----- | ---- | ------------ | ------------- | ----------- -#TODO Assets - Lookup Gen | Saved Search | Settings > Searches reports, and alerts | savedsearches.conf | Populates the lookup file `sa_#TODO_assets`. -#TODO Assets - Lookup Cleanup | Saved Search | Settings > Searches reports, and alerts | savedsearches.conf | removes old entries from kvstore lookup: `sa_#TODO_assets`. -sa_#TODO_assets | lookup | Settings > Lookups > Lookup definitions | transforms.conf | Lookup definition for the KVStore collection `sa_#TODO_assets_collection`. -sa_#TODO_assets_collection | KVStore collection | n/a\*\* | collections.conf | KVStore configuration. -sa_#TODO_index | Search macro | Settings > Advanced Search > Search Macros | macros.conf | Index definition for the #TODO index that contains the sourcetype `#TODO:insightvm:asset`. -sa_#TODO_retention | Search macro | Settings> Advanced Search > Search Macros | macros.conf | The amount of time for the device not being updated before it is removed from the lookup. `default "-31d"` -identity_manager://sa_#TODO_assets | Asset lookup configuration | Enterprise Security > Configure > Data Enrichment > Asset and Identity Management > Asset Lookups | inputs.conf | Asset configuration lookup to load #TODO Assets into the asset database. - -> \*CLI locations are relative to `../default`. Any update to CLI configuration files should be done in the local directory. - -!!!info -**If you have the [Splunk App for Lookup File Editing:icon-link-external:](https://splunkbase.splunk.com/app/263){ target="blank" }, the KVStore collection `sa_#TODO_assets_collection` is viewable within the Web interface. -!!! \ No newline at end of file diff --git a/docs/components/asset-mapping.md b/docs/components/asset-mapping.md deleted file mode 100644 index 329e4bd..0000000 --- a/docs/components/asset-mapping.md +++ /dev/null @@ -1,28 +0,0 @@ -# Asset Database Mapping - -# TODO - DELETE THIS LINE - Example - -The following table describes how this add-on maps to the Asset Database. - -> reference [Format an asset or identity in Splunk ES:icon-link-external:](https://docs.splunk.com/Documentation/ES/latest/Admin/Formatassetoridentitylist#Asset_lookup_header){ target="blank" } - -ES Asset lookup field | [#TODO InsightVM TA Fields:icon-link-external:](https://splunkbase.splunk.com/app/#TODO){ target="blank" } | Example value | Multi-value allowed ---- | --- | --- | --- -ip | `ip` | 10.15.23.8 | true -mac | `mac` | 61:se:e3:1s:7r:38 | true -nt_host | `host_name` | dev-server01 | false -dns | `hostname` | dev-server01.example.com | true -owner | n/a | `not mapped` | n/a -priority | see [Configure Priority](../configure/priority.md) | medium | false -lat | n/a | `not mapped` | n/a -long | n/a | `not mapped` | n/a -city | n/a | `not mapped` | n/a -country | n/a | `not mapped` | n/a -bunit | n/a | `not mapped` | n/a -category | see [Category field reference](category.md) | see [Category field reference](category.md) | true -pci_domain | n/a | `not mapped` | n/a -is_expected | n/a | `not mapped` | n/a -should_timesync | n/a | `not mapped` | n/a -should_update | n/a | `not mapped` | n/a -requires_av | n/a | `not mapped` | n/a -cim_entity_zone | n/a | `not mapped` | n/a \ No newline at end of file diff --git a/docs/components/category.md b/docs/components/category.md deleted file mode 100644 index f0e117b..0000000 --- a/docs/components/category.md +++ /dev/null @@ -1,56 +0,0 @@ -# Category Field - -## Default category field mapping - -# TODO - DELETE THIS LINE - EXAMPLE - -Mapped Field | #TODO Event Field | Example value ------------- | ----------------------- | ------------- -exploits | `exploits` | 1 -id | `id` | s3jd0xad-cb69-47dc-9bd1-nckd8eu9dwsk-default-asset-8888 -last_scan | `last_scan_end` | 09/06/23 20:54:05 MDT -os_arch | `os_architecture` | x86_64 -os_description | `os_description` | Microsoft Windows Server 2016 Standard Edition 1607 -os_family | `os_family` | Windows -os_name | `os_name` | Windows Server 2016 Standard Edition -os_system_name | `os_system_name` | Microsoft Windows -os_type | `os_type` | Server -os_vendor | `os_vendor` | Microsoft -os_version | `os_version` | 1607 -policies_assessed | `assessed_for_policies` | false -risk_score | `risk_score` | 18342.296875 -tags | `tags{}.type` + `tags{}.name`| SITE: #TODO insight agents -type | `type` | guest -vuln_assessed | `assessed_for_vulnerabilities` | true -vuln_critical | `critical_vulnerabilities` | 13 -vuln_moderate | `moderate_vulnerabilities` | 2 -vuln_severe | `severe_vulnerabilities` | 92 -vuln_total | `total_vulnerabilities` | 107 -splunk_last_update | n/a | 08/26/22 18:54:42 MDT - -### Full example of category value - -```yaml -exploits: 1 -gen: sa-#TODO -id: s3jd0xad-cb69-47dc-9bd1-nckd8eu9dwsk-default-asset-8888 -last_scan: 09/06/23 20:54:05 MDT -os_arch: x86_64 -os_description: Microsoft Windows Server 2016 Standard Edition 1607 -os_family: Windows -os_name: Windows Server 2016 Standard Edition -os_system_name: Microsoft Windows -os_type: Server -os_vendor: Microsoft -os_version: 1607 -policies_assessed: false -risk_score: 18342.296875 -splunk_last_updated: 09/06/23 21:40:30 MDT -tags: SITE: #TODO insight agents -type: guest -vuln_assessed: true -vuln_critical: 13 -vuln_moderate: 2 -vuln_severe: 92 -vuln_total: 107 -``` \ No newline at end of file diff --git a/docs/components/index.yml b/docs/components/index.yml deleted file mode 100644 index be42ff1..0000000 --- a/docs/components/index.yml +++ /dev/null @@ -1,2 +0,0 @@ -order: -4 -icon: tools \ No newline at end of file diff --git a/docs/configure/category.md b/docs/configure/category.md deleted file mode 100644 index 45b7fa7..0000000 --- a/docs/configure/category.md +++ /dev/null @@ -1,8 +0,0 @@ -# Category Field - -!!!info To update the `category` field modify the `#TODO Assets - Lookup Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](clone-search.md)). -!!! - -The category field by default includes many important fields. Most will find that the default configuration for this field will work for their needs. - -This field is an eval statement with multiple functions to map and clean field values. See the [Category Field reference](../components/category.md) for full field mappings and example values. diff --git a/docs/configure/cleanup.md b/docs/configure/cleanup.md deleted file mode 100644 index e5324ec..0000000 --- a/docs/configure/cleanup.md +++ /dev/null @@ -1,34 +0,0 @@ -# Update Cleanup - -The saved search `#TODO Assets - Lookup Cleanup` runs every day at 3:03 am to remove old/stale device data from the kvstore. By default, it will remove any device that has not reported in longer than 31 days. - -!!!info Note -Even though an asset may be removed, it will be re-added by the saved search `#TODO Assets - Lookup Gen` if it is found in the data again. -!!! - -## Update Search Macro - -To change the retention period from the default, there is a search macro that will need to be updated. - -1. Navigate to Settings > Advanced Search > Search Macros. -2. Set the "App" to `SA-#TODO`. -3. Set the "Owner" to `Any`. -4. Click on `sa_#TODO_retention` to modify the definition. -5. Set the definition to a valid [time modifier:icon-link-external:](https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers#How_to_specify_relative_time_modifiers){ target="blank" }. - -!!!success Note -__Make sure to keep the quotes around the definition.__ -i.e. "-7d\@d" -!!! - -## Update Cleanup Search Schedule - -It may also be necessary to update how often the cleanup search runs (default: Monthly). - -To update the default schedule perform the following steps: - -1. Navigate to Settings > Searches, reports, and alerts. -1. Set the "App" dropdown to `SA-#TODOAssets`. -1. Set the "Owner" dropdown to `All`. -1. Click "Edit" under actions for the search `#TODO Assets - Lookup Cleanup` -1. Click "Edit Schedule" and update the schedule and necessary. diff --git a/docs/configure/clone-search.md b/docs/configure/clone-search.md deleted file mode 100644 index df759f9..0000000 --- a/docs/configure/clone-search.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -order: -100 ---- - -# Clone default saved search - -In order to preserve the default behavior and to compare changes to new releases, it is recommended to clone the default search `#TODO Assets - Lookup Gen` before making any changes. - -## Clone - -Perform the following to clone the default search: - -1. Navigate to Settings > Searches, reports, and alerts. -1. Change "App" filter to `SA-#TODOAssets`. -1. Change "Owner" to `All`. -1. For the search named "#TODO Assets - Lookup Gen" click "Edit" under Actions. -1. From the dropdown menu click "Clone." -1. (optional) Update the Title. -1. Set "Permissions" to `clone`. -1. Click "Clone Report" to finish. - -## Disable default search - -!!!success Disable the original search -!!! - -1. For the search named "#TODO Assets - Lookup Gen" click "Edit" under Actions. -1. From the dropdown menu click "Disable" to disable the default search. diff --git a/docs/configure/index.md b/docs/configure/index.md deleted file mode 100644 index 2d3dc1e..0000000 --- a/docs/configure/index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -order: -3 -icon: gear -label: Advanced Configurations ---- - -# Configure - -Each field can be customized to fit your environment. The following fields should be examined and tailored to your data. - -!!!success It is recommended to clone the default search before making changes (see [Clone Saved Search](clone-search.md)). -!!! - -- [Update Priority](priority.md) (recommended) -- [Update Category](category.md) -- [Update Cleanup](cleanup.md) diff --git a/docs/configure/priority.md b/docs/configure/priority.md deleted file mode 100644 index c0a8a81..0000000 --- a/docs/configure/priority.md +++ /dev/null @@ -1,31 +0,0 @@ -# Priority Field - -!!!primary To update the `priority` field modify the `#TODO Assets - Lookup Gen` saved search. It is recommended to clone the default search before making changes (see [Clone Saved Search](clone-search.md)). -!!! - -The priority field is very generic by default and should be updated to suite your environment. The following table describes how this field is set. - -Type | Condition | Severity | Description ----- | --------- | -------- | ----------- -Expression | exploits>=1 | `critical` | Any system with more than 1 exploit is set to critical. -RegEx\* | server | `high` | Sets systems categorized as "servers" to high. -Expression | critical_vulnerabilities>=1 | `high` | Systems with more than one critical vulnerability is set to high. -Expression | risk_score>=upper_risk | `high` | Systems in the top 5% of risk are set to high. -Expression | moderate_vulnerabilities>=1 | `medium` | Systems with more than one moderate vulnerability are set to medium. -boolean | true() | `low` | catch-all. Remaining devices receive low severity. - - -> \*Regex Match is performed on the category field. - -Default priority field definition - -```python -priority=case( - exploits>=1, "critical", - match(category, "(?i)server"), "high", - critical_vulnerabilities>=1, "high", - risk_score>=upper_risk, "high", - moderate_vulnerabilities>=1, "medium", - true(), "low" - ) -``` diff --git a/docs/favicon.txt b/docs/favicon.txt deleted file mode 100644 index 378c954..0000000 --- a/docs/favicon.txt +++ /dev/null @@ -1,5 +0,0 @@ -# TODO: DELETE THIS FILE - -Use the following to create a favicon and put it at /docs - -https://realfavicongenerator.net/ \ No newline at end of file diff --git a/docs/index.md b/docs/index.md deleted file mode 100644 index efc9ffe..0000000 --- a/docs/index.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -icon: home -label: Home ---- - -![](static/#TODO.webp) - -# Welcome to the Docs! - -The #TODO add-on allows Splunk Enterprise Security admins to use [#TODO:icon-link-external:][#TODO]{ target="blank" } asset data with the Asset Database. This documentation will cover the components used in the add-on and advanced configurations. - -!!!danger Important -This Supporting add-on is only intended to work with [Splunk Enterprise Security:icon-link-external:](https://splunkbase.splunk.com/app/263){ target="blank" } deployments. -!!! - -> __*Disclaimer*__ -> -> *This Splunk Supporting Add-on is __not__ affiliated with [__#TODO__:icon-link-external:][#TODO]{ target="blank" } and is not sponsored or sanctioned by the #TODO team. Please visit [#TODO:icon-link-external:][#TODO]{ target="blank" } for more information about #TODO.* - -## Assumptions - -This documentation assumes the following: - -1. You have a working Splunk Enterprise Security environment. __This add-on is not intended to work without Splunk ES.__ -2. You already have #TODO asset data ingested using the [#TODO Add-On:icon-link-external:](https://splunkbase.splunk.com/app/#TODO){ target="blank" }. -3. Familiarity with setting up a new Asset source in Enterprise Security. - -## About - -Info | Description -------|---------- -#TODO | #TODO - [Splunkbase:icon-link-external:](https://splunkbase.splunk.com/app/#TODO){ target="blank" } \| [GitHub:icon-link-external:](https://github.com/rba-community/SA-#TODO/releases/){ target="blank" } -Splunk Enterprise Security Version (Required) | [7.x \| 6.x:icon-link-external:](https://splunkbase.splunk.com/app/263){ target="blank" } -#TODO Technology Add-On (Required) | [>=1.3.2:icon-link-external:](https://splunkbase.splunk.com/app/#TODO){ target="blank" } -Add-on has a web UI | No, this add-on does not contain views. - -[#TODO]: #TODO \ No newline at end of file diff --git a/docs/releases/compatibility.md b/docs/releases/compatibility.md deleted file mode 100644 index 1399ad2..0000000 --- a/docs/releases/compatibility.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -icon: check-circle ---- - -# Compatibility - -Product | Version ---------- | ------- -Splunk platform versions | 9.x, 8.x -Splunk Enterprise Security version | [7.x, 6.x:icon-link-external:](https://splunkbase.splunk.com/app/263){ taget="blank" } -#TODO Technology Add-On Version | [>=1.3.2:icon-link-external:](https://splunkbase.splunk.com/app/#TODO){ taget="blank" } \ No newline at end of file diff --git a/docs/releases/index.md b/docs/releases/index.md deleted file mode 100644 index 312fd28..0000000 --- a/docs/releases/index.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -order: -100 -icon: project-roadmap -label: Releases ---- - -# Release Notes - -# TODO - EXAMPLE - ---- - -## v3.4.0 [!badge text="LATEST" variant="info"] - -Released: [2023-09-08](https://github.com/retypeapp/retype/releases/tag/v3.4.0) - -+++ New :icon-shield-check: -- [x] [!badge PRO](/pro/pro.md) New `hub` [Project](/configuration/project.md#hub) config with `<` header link, see [#592](https://github.com/retypeapp/retype/discussions/592) -- [x] [!badge PRO](/pro/pro.md) New `toc` [Project](/configuration/project.md#toc) and [Page](/configuration/page.md#toc) config and features, see [#598](https://github.com/retypeapp/retype/discussions/598) -- [x] Automatically scroll ToC with page content, see [#375](https://github.com/retypeapp/retype/discussions/375) -+++ Improved :icon-thumbsup: -- [x] Upgrade Octicons icons library from v19.6.0 to v19.7.0 -+++ Fixed :icon-bug: -- [x] Tree nav `expanded` state not saving -+++ - ---- \ No newline at end of file diff --git a/docs/releases/issues.md b/docs/releases/issues.md deleted file mode 100644 index 59dcac5..0000000 --- a/docs/releases/issues.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -icon: bug -order: -100 ---- - -# Known issues - -Issue | Description | Solution | GitHub issue reference ------ | ----------- | -------- | ---------------------- -Lookup file error | You may see the error `status="Lookup file error, unknown path or update time" name=sa_#TODO_assets` | This error exists since the KVstore is being used opposed to a csv file and does not interfere with the functionality of lookup creation. | Similar Issue [#22:icon-link-external:](https://github.com/ZachChristensen28/SA-CrowdstrikeDevices/issues/22){ target="blank" } - - Issues can be reported on the [#TODO Github page:icon-link-external:](https://github.com/rba-community/SA-#TODO/issues){ target="blank" }. \ No newline at end of file diff --git a/docs/retype.yml b/docs/retype.yml deleted file mode 100644 index bd20548..0000000 --- a/docs/retype.yml +++ /dev/null @@ -1,29 +0,0 @@ -# DELETE THIS LINE: More info at https://retype.com/ -input: . -output: .retype -url: #TODO -branding: - title: #TODO - label: v1.0.0 - logo: static/#TODO.svg - colors: - label: - text: "#fff" - background: "#e85e26" -links: -- text: Splunkbase - link: https://splunkbase.splunk.com/#TODO - target: blank - icon: apps -- text: GitHub - link: https://github.com/rba-community/#TODO/releases - target: blank - icon: mark-github -footer: - copyright: "© Copyright {{ year }}. All rights reserved.\nMade with :icon-heart-fill: by [#TODO](#TODO){ target=blank }" - links: - - text: Connect with #TODO on LinkedIn - link: https://www.linkedin.com/in/#TODO/ - target: blank -markdown: - lineBreaks: hard \ No newline at end of file diff --git a/docs/start/build.md b/docs/start/build.md deleted file mode 100644 index a834b8e..0000000 --- a/docs/start/build.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -order: -4 -icon: workflow -label: Force build ---- - -# Force initial build - -!!!info Optional -!!! - -The initial build will not occur until the first scheduled runtime (see [Update default saved search schedule](scheduled-search.md)). To force the initial build perform the following: - -1. Navigate to Settings > Searches, reports, and alerts. -2. Set the "App" dropdown to `SA-#TODO`. -3. Set the "Owner" dropdown to `All`. -4. Click "Run" under actions for the search `#TODO Assets - Lookup Gen`. - -!!!info Note -The search will run in a new tab over the default time period of 60 minutes. Expand to longer timeframe for the initial build (i.e. Last 30 days). The default search is configured to run hourly to continually append new devices reported from #TODO. -!!! \ No newline at end of file diff --git a/docs/start/index.md b/docs/start/index.md deleted file mode 100644 index 3c442d7..0000000 --- a/docs/start/index.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -order: -2 -icon: rocket -expanded: true ---- - -# Getting Started - -!!!primary This add-on has a saved search and Asset configuration input enabled by default. -!!! - -## Navigation - -!!!warning Check the [Prerequisites](prerequisites.md) -!!! - -1. [Where to Install](install.md) -2. [Update default index](macro.md) -3. [Force Build](build.md) (optional) -4. [Enable Asset Correlation in ES](sources.md) -5. [Update default schedule](scheduled-search.md) (optional) diff --git a/docs/start/install.md b/docs/start/install.md deleted file mode 100644 index c1e471b..0000000 --- a/docs/start/install.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -order: -2 -label: Where to Install -icon: package ---- - -# Where to Install - -!!!danger Important -This supporting add-on must be installed alongside Splunk Enterprise Security. Ensure the [prequisites](prerequisites.md) have been completed before proceeding. -!!! - -For detailed information on where to install Splunk Apps/add-ons, including best practices, can be found at [Splunk Docs: About Installing Splunk add-ons:icon-link-external:](https://docs.splunk.com/Documentation/AddOns/released/Overview/Wheretoinstall){ target="blank" } - -## Splunk Cloud - -Install this app to your Enterprise Security Search head. See [How to install apps on Splunk Cloud:icon-link-external:](https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/SelfServiceAppInstall){ target="blank" }. - -## Standalone Deployments (with Splunk ES) - -Install this add-on to the single instance. For more information see [Splunk Docs: Install add-on in a single-instance Splunk deployment:icon-link-external:](https://docs.splunk.com/Documentation/AddOns/released/Overview/Singleserverinstall){ target="blank" } - -## Distributed Deployments - -!!!primary Install on Enterprise Security Search head _**only**_ -!!! - -Splunk Instance type | Supported | Required | Comments --------------------- | --------- | -------- | -------- -Enterprise Security Search Head | Yes | Yes | Install this add-on to the Enterprise Security Search Head. -Splunk Core Search Head (without ES) | No | No | Do not install on regular search heads. -Indexers | No | No | Do not install on Indexers. -Heavy Forwarders | No | No | Do not install on Heavy Forwarders. -Universal Forwarders | No | No | Do not install on Universal Forwarders. - -The installation steps for deploying Apps/add-ons in a distributed environment can be found at [Splunk Docs: Install an add-on in a distributed Splunk deployment:icon-link-external:](https://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall){ target="blank" } - -## Distributed Deployment Compatibility - -Distributed deployment feature | Supported | Comments ------------------------------- | --------- | -------- -Search Head Clusters | Yes | You can install this add-on to an Enterprise Security search head cluster. -Indexer Clusters | No | Do not deploy this add-on to an Indexer cluster. -Deployment Server | No | There is no need to use a deployment server to deploy this add-on. - -\* For more information, see Splunk's [documentation:icon-link-external:](https://docs.splunk.com/Documentation/AddOns/released/Overview/Installingadd-ons){ target="blank" } on installing Add-ons. diff --git a/docs/start/macro.md b/docs/start/macro.md deleted file mode 100644 index 3e73318..0000000 --- a/docs/start/macro.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -order: -3 -label: Update Index -icon: command-palette ---- - -# Update Splunk Index - -!!!danger [Danger, Will Robinson:icon-link-external:](https://cultural-phenomenons.fandom.com/wiki/Danger,_Will_Robinson){ target="blank" } -Failure to update the index to the correct setting will cause no devices to be available in Splunk Enterprise Security. -!!! - -The index definition is set by a search macro. - -Macro | Default | Description ------ | ------- | ----------- -`sa_#TODO_index` | index=#TODO | Index definition for #TODO asset index. - -> Update the index definition to the correct index that contains the `#TODO:insightvm:asset` sourcetype. - -## How to update - -==- :icon-star-fill: Use Enterprise Security's Settings (Recommended) -1. (In Splunk Enterprise Security) Navigate to Configure > General > General Settings. -2. From the "App" dropdown select `SA-#TODO`. -3. Update the SA-#TODO Index definition and click "Save." -==- Update Search Macro Manually -1. Navigate to Settings > Advanced Search > Search Macros. -2. From the "App" dropdown choose `SA-#TODO`. -3. Set the "Owner" dropdown to `any`. -4. Click the macro named `sa_#TODO_index` to update the index definition. -=== \ No newline at end of file diff --git a/docs/start/prerequisites.md b/docs/start/prerequisites.md deleted file mode 100644 index da13767..0000000 --- a/docs/start/prerequisites.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -order: -1 -icon: stop ---- - -# Prerequisites - -!!!danger Important -Complete the prerequisites before installing this add-on. -!!! - -Required App | Version | Description ------------- | ------- | ----------- -[Splunk Enterprise Security:icon-link-external:](https://splunkbase.splunk.com/app/263){ target="blank" } | 7.x \| 6.x | This add-on supports Splunk ES and is not designed to work without it. -[#TODO InsightVM Technology Add-On:icon-link-external:](https://splunkbase.splunk.com/app/#TODO){ target="blank" } | >=1.3.2 | #TODO asset data must be brought in prior to installing this add-on. See [#TODO's documentation:icon-link-external:](https://splunkbase.splunk.com/app/#TODO){ target="blank" } for more information. diff --git a/docs/start/scheduled-search.md b/docs/start/scheduled-search.md deleted file mode 100644 index f148fe1..0000000 --- a/docs/start/scheduled-search.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -order: -6 -label: Update schedule -icon: clock ---- - -# Update default saved search schedule - -!!!info Optional -!!! - -The default saved search runs on the 39th minute of every hour to update and continually build and update the #TODO assets. To update the default schedule perform the following steps: - -1. Navigate to Settings > Searches, reports, and alerts. -1. Set the "App" dropdown to `SA-#TODO`. -1. Set the "Owner" dropdown to `All`. -1. Click "Edit" under actions for the search `#TODO - Lookup Gen`. -1. Click "Edit Schedule" and update the schedule and necessary. \ No newline at end of file diff --git a/docs/start/sources.md b/docs/start/sources.md deleted file mode 100644 index 2cea9b5..0000000 --- a/docs/start/sources.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -order: -5 -icon: play ---- - -# Enable asset correlation - -Confirm asset correlation has been setup in Enterprise Security. - -1. Navigate to Enterprise Security > Configure > Data Enrichment > Asset and Identity Management. -1. Switch to the "Correlation Setup" tab. -1. Either enable for all sourcetypes (Recommended) or selectively by sourcetype. - - If you choose to enable select sourcetypes, ensure the `stash` sourcetype is also selected so Notable events will be enriched with asset information. -1. Save. - ---- - -## Disable existing asset sources - -!!! info Optional -!!! - -It may be possible that you have existing Asset Lookups defined. If #TODO is considered your "single source of truth" in your environment the existing lookups may no longer be needed. \ No newline at end of file diff --git a/docs/static/asset-key-field.png b/docs/static/asset-key-field.png deleted file mode 100644 index 8c866a0..0000000 Binary files a/docs/static/asset-key-field.png and /dev/null differ diff --git a/docs/troubleshooting/asset-merge.md b/docs/troubleshooting/asset-merge.md deleted file mode 100644 index 8bb6056..0000000 --- a/docs/troubleshooting/asset-merge.md +++ /dev/null @@ -1,68 +0,0 @@ -# Asset Merge - - It is possible that some of your devices share a common key field (`dns`, `ip`, `mac`, `nt_host`) that is causing an erroneous merge of your assets. There are a few ways to overcome this: - -- [Asset Merge](#asset-merge) - - [Problem Scenario](#problem-scenario) - - [Default merge](#default-merge) - - [Expected behavior](#expected-behavior) - - [Solutions](#solutions) - - [Disable Asset Merging](#disable-asset-merging) - - [Update Asset Key Fields](#update-asset-key-fields) - -## Problem Scenario - -Consider you have the following assets: - -Host | dns | ip | mac | nt_host ----- | --- | -- | --- | ------- -host1 | host1.local | ==10.0.34.9== | 77:61:f5:cb:33:a7 | host1 -host2 | host2.local | ==10.0.34.9== | a5:e7:5c:39:77:d1 | host2 - -Since these two systems share the same IP they will be merged into a single asset by default. - -### Default merge - -Asset | dns | ip | mac | nt_host ------ | --- | -- | --- | ------- -host1
host2
host1.local
10.0.34.9
77:61:f5:cb:33:a7
a5:e7:5c:39:77:d1 | host1.local
host2.local | 10.0.34.9 | 77:61:f5:cb:33:a7
a5:e7:5c:39:77:d1 | host1
host2 - -### Expected behavior - -_see next section to accomplish this expected behavior_ - -Asset | dns | ip | mac | nt_host ------ | --- | -- | --- | ------- -host1
host1.local
10.0.34.9
77:61:f5:cb:33:a7 | host1.local | 10.0.34.9 | 77:61:f5:cb:33:a7 | host1 -host2
host2.local
10.0.34.9
a5:e7:5c:39:77:d1 | host2.local | 10.0.34.9 | a5:e7:5c:39:77:d1 | host2 - -## Solutions - -### Disable Asset Merging - -If #TODO is your **_only_** data source for assets, you can disable asset merge in the global settings. - -!!!warning This is not recommended if you have more than one asset list configured (see next section) -!!! - -1. In Enterprise Security navigate to Configure > Data Enrichment > Asset and Identity Management > Global Settings. -2. Toggle off "Assets" under `Enable Merge for Assets or Identities`. - -Changes should reflect the next time the Asset database builds (usually 5-10 minutes). - -\*_For more information, see [Splunk Docs:icon-link-external:](https://docs.splunk.com/Documentation/ES/latest/Admin/Merge){ target="blank" }._ - -### Update Asset Key Fields - -If you have more than one asset list configured you can look at disabling the common key field to prevent the default merging behavior. - -!!!success In most cases, the IP field will be field that needs to disabled as the key field. -!!! - -1. (In Enterprise Security) Navigate to Configure > Data Enrichment > Asset and Identity Management. -1. Select the "Asset Fields" Tab. -1. Select the `ip` field (or the field you want to disable) and "uncheck" it from being a Key. - -![Disable Asset Key by unchecking "Key"](../static/asset-key-field.png) - -Changes should reflect the next time the Asset database builds (usually 5-10 minutes). \ No newline at end of file diff --git a/docs/troubleshooting/index.md b/docs/troubleshooting/index.md deleted file mode 100644 index 8533d18..0000000 --- a/docs/troubleshooting/index.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -order: -4 -icon: question ---- - -# Troubleshooting - -There can be many issues when setting up a new app/add-on in Splunk. Below highlights the most common issues with this Add-on. Don't see your issue? Submit a new issue on [Github:icon-link-external:](https://github.com/rba-community/SA-#TODO/issues){ target="blank" }. - -Issue | Description | Solution ------ | ----------- | -------- -Multiple asset merge | It is possible that some of your devices share a common key field (`dns`, `ip`, `mac`, `nt_host`) which will cause merging by default. |See the [Asset Merge Solutions](asset-merge.md) for ways to improve the merging behavior. -Asset Database not populating with #TODO Data | The asset database may show no #TODO data if the initial search has not run to build the asset database or the default macro has not been updated. | Verify the default macro has the correct index definition (see [Update Default Macro](../start/macro.md)). Also see [Force build](../start/build.md) to build the #TODO assets lookup before the first scheduled run. \ No newline at end of file diff --git a/src/SA-CrowdstrikeIntelIndicators/app.manifest b/src/SA-CrowdstrikeIntelIndicators/app.manifest new file mode 100644 index 0000000..6a9fc47 --- /dev/null +++ b/src/SA-CrowdstrikeIntelIndicators/app.manifest @@ -0,0 +1,69 @@ +{ + "schemaVersion": "2.0.0", + "info": { + "title": "SA-CrowdstrikeIntelIndicators", + "id": { + "group": null, + "name": "SA-CrowdstrikeIntelIndicators", + "version": "1.0.0" + }, + "author": [ + { + "name": "Dennis Morton", + "email": null, + "company": null + } + ], + "releaseDate": null, + "description": "Adds CrowdStrike's intelligence indicators to Splunk Enterprise Security's threat framework.", + "classification": { + "intendedAudience": "Security", + "categories": [ + "Endpoint", + "Security, Fraud, & Compliance", + "Information" + ], + "developmentStatus": "Production/Stable" + }, + "commonInformationModels": null, + "license": { + "name": "Apache License", + "text": null, + "uri": "https://www.apache.org/licenses/LICENSE-2.0" + }, + "privacyPolicy": { + "name": "Splunk Privacy Policy", + "text": null, + "uri": "https://www.splunk.com/en_us/legal/privacy/privacy-policy.html" + }, + "releaseNotes": { + "name": "README", + "uri": "https://cs-intel.rba.community/releases/" + } + }, + "dependencies": { + "TA-crowdstrike-intel-indicators": { + "version": ">=3.1.2", + "optional": true + }, + "SplunkEnterpriseSecuritySuite": { + "version": ">=7.0.0", + "optional": false + } + }, + "tasks": [ + "threatlist://crowdstrike_ip_intel", + "threatlist://crowdstrike_domain_intel", + "threatlist://crowdstrike_url_intel", + "threatlist://crowdstrike_hash_intel" + ], + "inputGroups": null, + "incompatibleApps": null, + "platformRequirements": null, + "supportedDeployments": [ + "*" + ], + "targetWorkloads": [ + "_search_heads" + ] +} \ No newline at end of file diff --git a/src/SA-CrowdstrikeIntelIndicators/default/app.conf b/src/SA-CrowdstrikeIntelIndicators/default/app.conf new file mode 100644 index 0000000..28160f6 --- /dev/null +++ b/src/SA-CrowdstrikeIntelIndicators/default/app.conf @@ -0,0 +1,26 @@ +# DO NOT EDIT THIS FILE! +# Please make all changes to files in ../local. +# To make changes, copy the section/stanza you want to change from ./default +# into ../local and edit there. + +[install] +state_change_requires_restart = false +is_configured = 0 +state = enabled +build = 2 + +[launcher] +author = Dennis Morton +description = Processes Intel Indicators from https://splunkbase.splunk.com/app/5083 into ES Threat Intelligence lookups. +version = 1.0.0 + +[ui] +is_visible = 0 +label = SA-CrowdstrikeIntelIndicators + +[package] +id = SA-CrowdstrikeIntelIndicators + +[id] +name = SA-CrowdstrikeIntelIndicators +version = 1.0.0 diff --git a/src/SA-CrowdstrikeIntelIndicators/default/distsearch.conf b/src/SA-CrowdstrikeIntelIndicators/default/distsearch.conf new file mode 100644 index 0000000..e59f9c3 --- /dev/null +++ b/src/SA-CrowdstrikeIntelIndicators/default/distsearch.conf @@ -0,0 +1,7 @@ +# DO NOT EDIT THIS FILE! +# Please make all changes to files in ../local. +# To make changes, copy the section/stanza you want to change from ./default +# into ../local and edit there. + +[replicationDenylist] +crowdstrike = apps[/\\]SA-CrowdstrikeIntelIndicators[/\\]lookups[/\\]crowdstrike_*_intel.csv diff --git a/src/SA-CrowdstrikeIntelIndicators/default/inputs.conf b/src/SA-CrowdstrikeIntelIndicators/default/inputs.conf new file mode 100644 index 0000000..f27f617 --- /dev/null +++ b/src/SA-CrowdstrikeIntelIndicators/default/inputs.conf @@ -0,0 +1,81 @@ +# DO NOT EDIT THIS FILE! +# Please make all changes to files in ../local. +# To make changes, copy the section/stanza you want to change from ./default +# into ../local and edit there. + +[threatlist://crowdstrike_ip_intel] +debug = false +delim_regex = , +description = Crowdstrike IP Intel +file_parser = auto +ignore_regex = (^#|^\s*$) +interval = 43200 +is_threatintel = true +max_age = -7d +max_size = 52428800 +retries = 3 +retry_interval = 60 +sinkhole = true +skip_header_lines = 0 +timeout = 30 +type = crowdstrike +url = lookup://crowdstrike_ip_intel +weight = 60 + +[threatlist://crowdstrike_domain_intel] +debug = false +delim_regex = , +description = Crowdstrike Domain Intel +file_parser = auto +ignore_regex = (^#|^\s*$) +interval = 43200 +is_threatintel = true +max_age = -7d +max_size = 52428800 +retries = 3 +retry_interval = 60 +sinkhole = true +skip_header_lines = 0 +timeout = 30 +type = crowdstrike +url = lookup://crowdstrike_domain_intel +weight = 60 + +[threatlist://crowdstrike_url_intel] +debug = false +delim_regex = , +description = Crowdstrike URL Intel +file_parser = auto +ignore_regex = (^#|^\s*$) +interval = 43200 +is_threatintel = true +max_age = -7d +max_size = 52428800 +retries = 3 +retry_interval = 60 +sinkhole = true +skip_header_lines = 0 +timeout = 30 +type = crowdstrike +url = lookup://crowdstrike_url_intel +weight = 60 + +[threatlist://crowdstrike_hash_intel] +debug = false +delim_regex = , +description = Crowdstrike Hash Intel +file_parser = auto +ignore_regex = (^#|^\s*$) +interval = 43200 +is_threatintel = true +max_age = -7d +max_size = 52428800 +retries = 3 +retry_interval = 60 +sinkhole = true +skip_header_lines = 0 +timeout = 30 +type = crowdstrike +url = lookup://crowdstrike_hash_intel +weight = 60 + diff --git a/src/SA-CrowdstrikeIntelIndicators/default/macros.conf b/src/SA-CrowdstrikeIntelIndicators/default/macros.conf new file mode 100644 index 0000000..ab99676 --- /dev/null +++ b/src/SA-CrowdstrikeIntelIndicators/default/macros.conf @@ -0,0 +1,21 @@ +# DO NOT EDIT THIS FILE! +# Please make all changes to files in ../local. +# To make changes, copy the section/stanza you want to change from ./default +# into ../local and edit there. + +[update_crowdstrike_intel_lookup(3)] +args = crowdstrike_type, es_type, lookup_name +definition = `crowdstrike_intel_index` type=$crowdstrike_type$ deleted!=true earliest=-30d@d\ +| fillnull value="n/a" malicious_confidence, last_updated, malware_families, kill_chains \ +| rename indicator as $es_type$, malicious_confidence as confidence, last_updated as updated \ +| eval kill_chains=mvjoin(kill_chains, ","), malware_families=mvjoin(malware_families, ",")\ +| eval description="confidence:" + confidence + "|" + "last_updated:" + updated + "|" + "malware_families:" + malware_families + "|" + "kill_chains:" + kill_chains \ +| stats count latest(description) latest(updated) by $es_type$\ +| rename latest(*) as *\ +| fields - count\ +| outputlookup max=0 $lookup_name$.csv +iseval = 0 + +[crowdstrike_intel_index] +definition = index=crowdstrike_ioc +iseval = 0 diff --git a/src/SA-CrowdstrikeIntelIndicators/default/savedsearches.conf b/src/SA-CrowdstrikeIntelIndicators/default/savedsearches.conf new file mode 100644 index 0000000..ef92c37 --- /dev/null +++ b/src/SA-CrowdstrikeIntelIndicators/default/savedsearches.conf @@ -0,0 +1,117 @@ +# DO NOT EDIT THIS FILE! +# Please make all changes to files in ../local. +# To make changes, copy the section/stanza you want to change from ./default +# into ../local and edit there. + +[Crowdstrike Hash Intel - Lookup Gen] +action.email.useNSSubject = 1 +action.keyindicator.invert = 0 +action.makestreams.param.verbose = 0 +action.nbtstat.param.verbose = 0 +action.notable.param.verbose = 0 +action.nslookup.param.verbose = 0 +action.ping.param.verbose = 0 +action.risk.forceCsvResults = 1 +action.risk.param.verbose = 0 +action.send2uba.param.verbose = 0 +action.threat_add.param.verbose = 0 +action.webhook.enable_allowlist = 0 +alert.track = 0 +cron_schedule = 0 4 * * * +description = Generate a Hash (MD5, SHA1, and SHA256) intel lookup for consumption by the TIF. +disabled = 1 +dispatch.earliest_time = -1h@h +dispatch.latest_time = now +display.general.timeRangePicker.show = 0 +display.general.type = statistics +display.page.search.tab = statistics +display.visualizations.show = 0 +enableSched = 1 +request.ui_dispatch_app = avista_utils +request.ui_dispatch_view = search +schedule_window = auto +search = `update_crowdstrike_intel_lookup(*hash*, file_hash, crowdstrike_hash_intel)` + +[Crowdstrike Domain Intel - Lookup Gen] +action.email.useNSSubject = 1 +action.keyindicator.invert = 0 +action.makestreams.param.verbose = 0 +action.nbtstat.param.verbose = 0 +action.notable.param.verbose = 0 +action.nslookup.param.verbose = 0 +action.ping.param.verbose = 0 +action.risk.forceCsvResults = 1 +action.risk.param.verbose = 0 +action.send2uba.param.verbose = 0 +action.threat_add.param.verbose = 0 +action.webhook.enable_allowlist = 0 +alert.track = 0 +cron_schedule = 0 4 * * * +description = Generate an Domain intel lookup for consumption by the TIF. +dispatch.earliest_time = -1h@h +dispatch.latest_time = now +display.general.timeRangePicker.show = 0 +display.general.type = statistics +display.page.search.tab = statistics +display.visualizations.show = 0 +enableSched = 1 +request.ui_dispatch_app = avista_utils +request.ui_dispatch_view = search +schedule_window = auto +search = `update_crowdstrike_intel_lookup(domain, domain, crowdstrike_domain_intel)` + +[Crowdstrike IP Intel - Lookup Gen] +action.email.useNSSubject = 1 +action.keyindicator.invert = 0 +action.makestreams.param.verbose = 0 +action.nbtstat.param.verbose = 0 +action.notable.param.verbose = 0 +action.nslookup.param.verbose = 0 +action.ping.param.verbose = 0 +action.risk.forceCsvResults = 1 +action.risk.param.verbose = 0 +action.send2uba.param.verbose = 0 +action.threat_add.param.verbose = 0 +action.webhook.enable_allowlist = 0 +alert.track = 0 +cron_schedule = 0 4 * * * +description = Generate an IP intel lookup for consumption by the TIF. +dispatch.earliest_time = -1h@h +dispatch.latest_time = now +display.general.timeRangePicker.show = 0 +display.general.type = statistics +display.page.search.tab = statistics +display.visualizations.show = 0 +enableSched = 1 +request.ui_dispatch_app = avista_utils +request.ui_dispatch_view = search +schedule_window = auto +search = `update_crowdstrike_intel_lookup(ip_address, ip, crowdstrike_ip_intel)` + +[Crowdstrike URL Intel - Lookup Gen] +action.email.useNSSubject = 1 +action.keyindicator.invert = 0 +action.makestreams.param.verbose = 0 +action.nbtstat.param.verbose = 0 +action.notable.param.verbose = 0 +action.nslookup.param.verbose = 0 +action.ping.param.verbose = 0 +action.risk.forceCsvResults = 1 +action.risk.param.verbose = 0 +action.send2uba.param.verbose = 0 +action.threat_add.param.verbose = 0 +action.webhook.enable_allowlist = 0 +alert.track = 0 +cron_schedule = 0 4 * * * +description = Generate an URL intel lookup for consumption by the TIF. +dispatch.earliest_time = -1h@h +dispatch.latest_time = now +display.general.timeRangePicker.show = 0 +display.general.type = statistics +display.page.search.tab = statistics +display.visualizations.show = 0 +enableSched = 1 +request.ui_dispatch_app = avista_utils +request.ui_dispatch_view = search +schedule_window = auto +search = `update_crowdstrike_intel_lookup(url, url, crowdstrike_url_intel)` diff --git a/src/SA-CrowdstrikeIntelIndicators/default/transforms.conf b/src/SA-CrowdstrikeIntelIndicators/default/transforms.conf new file mode 100644 index 0000000..fab525d --- /dev/null +++ b/src/SA-CrowdstrikeIntelIndicators/default/transforms.conf @@ -0,0 +1,30 @@ +# DO NOT EDIT THIS FILE! +# Please make all changes to files in ../local. +# To make changes, copy the section/stanza you want to change from ./default +# into ../local and edit there. + +[crowdstrike_ip_intel] +batch_index_query = 0 +case_sensitive_match = 1 +filename = crowdstrike_ip_intel.csv + +[crowdstrike_domain_intel] +batch_index_query = 0 +case_sensitive_match = 1 +filename = crowdstrike_domain_intel.csv + +[crowdstrike_url_intel] +batch_index_query = 0 +case_sensitive_match = 1 +filename = crowdstrike_url_intel.csv + +[crowdstrike_hash_intel] +batch_index_query = 0 +case_sensitive_match = 1 +filename = crowdstrike_hash_intel.csv + +[ava_tsa_in_scope_servers] +batch_index_query = 0 +case_sensitive_match = 0 +filename = ava_tsa_in_scope_servers.csv +match_type = WILDCARD(host) diff --git a/src/SA-CrowdstrikeIntelIndicators/static/appIcon.png b/src/SA-CrowdstrikeIntelIndicators/static/appIcon.png new file mode 100644 index 0000000..eb170cc Binary files /dev/null and b/src/SA-CrowdstrikeIntelIndicators/static/appIcon.png differ diff --git a/src/SA-CrowdstrikeIntelIndicators/static/appIcon_2x.png b/src/SA-CrowdstrikeIntelIndicators/static/appIcon_2x.png new file mode 100644 index 0000000..808306f Binary files /dev/null and b/src/SA-CrowdstrikeIntelIndicators/static/appIcon_2x.png differ diff --git a/src/SA-YOUR_APP_HERE/.gitkeep b/src/SA-YOUR_APP_HERE/.gitkeep deleted file mode 100644 index e69de29..0000000