splunk · delgado-jacob · Jan 21, 2025 · Jan 22, 2025 · Jan 23, 2025 · Jan 23, 2025
@@ -1,9 +1,22 @@
 name: ASL AWS CloudTrail
 id: 1dcf9cfb-0e91-44c6-81b3-61b2574ec898
-version: 1
-date: '2025-01-14'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for ASL AWS CloudTrail 
+description: Represents AWS API dataset data collection from Amazon Security Lake.
+mitre_components:
+- Cloud Service Metadata
+- Cloud Service Modification
+- Cloud Storage Access
+- Instance Creation
+- Instance Deletion
+- Instance Start
+- Instance Stop
+- Instance Modification
+- Cloud Storage Creation
+- Cloud Storage Deletion
+- Cloud Service Enumeration
+- Cloud Storage Enumeration
 source: aws_asl
 sourcetype: aws:asl
 separator: api.operation

@@ -1,9 +1,17 @@
 name: AWS Cloudfront
 id: 780086dc-2384-45b6-ade7-56cb00105464
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS Cloudfront
+description: Logs requests made to AWS CloudFront distributions, including details
+  on client access, response data, and performance metrics.
+mitre_components:
+- Network Traffic Content
+- Network Traffic Flow
+- Response Metadata
+- Response Content
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws
 sourcetype: aws:cloudfront:accesslogs
 supported_TA:

@@ -3,7 +3,7 @@ id: e8ace6db-1dbd-4c72-a1fb-334684619a38
 version: 1
 date: '2024-07-24'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail
+description: All AWS CloudTrail events
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName

@@ -1,12 +1,20 @@
 name: AWS CloudTrail AssumeRoleWithSAML
 id: 1e28f2a6-2db9-405f-b298-18734a293f77
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail AssumeRoleWithSAML
+description: Logs attempts to assume roles via SAML authentication in AWS, including
+  details of identity provider and role mapping.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Cloud Service Metadata
+- Instance Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: AssumeRoleWithSAML
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,20 @@
 name: AWS CloudTrail ConsoleLogin
 id: b68b3f26-bd21-4fa8-b593-616fe75ac0ae
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail ConsoleLogin
+description: Logs attempts to sign in to the AWS Management Console, including successful
+  and failed login events.
+mitre_components:
+- User Account Authentication
+- Logon Session Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: ConsoleLogin
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CopyObject
 id: 965083f4-64a8-403f-99cc-252e1a6bd3b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CopyObject
+description: Logs operations that copy objects within or between AWS S3 buckets, including
+  details of source and destination.
+mitre_components:
+- Cloud Storage Access
+- Cloud Storage Modification
+- Cloud Storage Metadata
+- Instance Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_values: CopyObject
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateAccessKey
 id: 0460f7da-3254-4d90-b8c0-2ca657d0cea0
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateAccessKey
+description: Logs the creation of new AWS access keys, including details of the associated
+  user and permissions.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateAccessKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateKey
 id: fcfc1593-b6b5-4a0f-91c5-3c395116a8b9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateKey
+description: Logs the creation of new AWS KMS keys, including details of key properties
+  and associated metadata.
+mitre_components:
+- Cloud Service Creation
+- Cloud Service Metadata
+- Instance Creation
+- Volume Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateKey
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateLoginProfile
 id: 0024fdb1-0d62-4449-970a-746952cf80b6
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateLoginProfile
+description: Logs the creation of login profiles for IAM users, including associated
+  metadata and authentication settings.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Logon Session Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateLoginProfile
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateNetworkAclEntry
 id: 45934028-10ec-4ab5-a7b1-a6349b833e67
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateNetworkAclEntry
+description: Logs the creation of new entries in a network ACL, including rules to
+  allow or deny specific network traffic.
+mitre_components:
+- Firewall Rule Modification
+- Network Connection Creation
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateNetworkAclEntry
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreatePolicyVersion
 id: f9f0f3da-37ec-4164-9ea0-0ae46645a86b
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreatePolicyVersion
+description: Logs the creation of new versions of IAM policies, including changes
+  to permissions and attached roles or resources.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- User Account Metadata
+- Group Modification
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreatePolicyVersion
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateSnapshot
 id: 514135a2-f4b2-4d32-8f31-d87824887f9f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateSnapshot
+description: Logs the creation of a new snapshot of a cloud resource, such as an Amazon
+  EBS volume, including details about the snapshot ID and resource type.
+mitre_components:
+- Snapshot Creation
+- Snapshot Metadata
+- Volume Metadata
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateSnapshot
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateTask
 id: 6501e4fe-05b2-45f1-bd51-9e06a94fa7d9
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateTask
+description: Logs the creation of a new task in AWS services, such as ECS, including
+  details about the task definition and resource allocation.
+mitre_components:
+- Scheduled Job Creation
+- Scheduled Job Metadata
+- Cloud Service Metadata
+- Instance Creation
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_name: CreateTask
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail CreateVirtualMFADevice
 id: 13e6e952-0dad-4190-865c-fb5911725f7a
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail CreateVirtualMFADevice
+description: Logs the creation of a new virtual multi-factor authentication (MFA)
+  device, including details about the associated user and configuration.
+mitre_components:
+- User Account Creation
+- User Account Metadata
+- Cloud Service Creation
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: CreateVirtualMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeactivateMFADevice
 id: 7397a10b-1150-4de9-8062-a96454ae53b2
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeactivateMFADevice
+description: Logs the deactivation of a multi-factor authentication (MFA) device,
+  including details about the associated user and the device.
+mitre_components:
+- User Account Modification
+- User Account Metadata
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeactivateMFADevice
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,17 @@
 name: AWS CloudTrail DeleteAccountPasswordPolicy
 id: b0730ac8-0992-4de8-b000-2c7d0fc7a67f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Patrick Bareiss, Splunk
-description: Data source object for AWS CloudTrail DeleteAccountPasswordPolicy
+description: Logs the deletion of an account-level password policy in AWS, including
+  details about the account and policy being removed.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteAccountPasswordPolicy
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876

@@ -1,12 +1,19 @@
 name: AWS CloudTrail DeleteAlarms
 id: b0730ac8-0992-4de8-b000-2c7d0fc7a61f
-version: 1
-date: '2024-07-18'
+version: 2
+date: '2025-01-23'
 author: Bhavin Patel, Splunk
-description: Data source object for AWS CloudTrail DeleteAlarms
+description: Logs the deletion of CloudWatch alarms, including details about the alarm
+  names and associated monitoring configurations.
+mitre_components:
+- Cloud Service Modification
+- Cloud Service Metadata
+- Application Log Content
+- Host Status
 source: aws_cloudtrail
 sourcetype: aws:cloudtrail
 separator: eventName
+separator_value: DeleteAlarms
 supported_TA:
 - name: Splunk Add-on for AWS
   url: https://splunkbase.splunk.com/app/1876