Remove extra fields from YMLs

baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml

@@ -20,7 +20,6 @@ tags:
   - Emotet Malware DHS Report TA18-201A
   - Monitor for Unauthorized Software
   - SamSam Ransomware
-  asset_type: Endpoint
   detections:
   - Prohibited Software On Endpoint
   product:
@@ -29,17 +28,4 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  security_domain: endpoint
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: endpoint

baselines/deprecated/baseline_of_api_calls_per_user_arn.yml

@@ -32,17 +32,4 @@ tags:
   - _time
   - eventType
   - userIdentity.arn
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml

@@ -44,17 +44,4 @@ tags:
   - eventName
   - errorCode
   - src_user
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml

@@ -44,17 +44,4 @@ tags:
   - eventName
   - errorCode
   - src_user
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml

@@ -35,17 +35,4 @@ tags:
   - userIdentity.type
   - userName
   - eventName
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml

@@ -33,17 +33,4 @@ tags:
   - _time
   - eventName
   - sourceIPAddress
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/previously_seen_ec2_amis.yml

@@ -29,17 +29,4 @@ tags:
   - eventName
   - errorCode
   - requestParameters.instancesSet.items{}.imageId
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/previously_seen_ec2_instance_types.yml

@@ -29,17 +29,4 @@ tags:
   - eventName
   - errorCode
   - requestParameters.instanceType
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/previously_seen_ec2_launches_by_user.yml

@@ -30,17 +30,4 @@ tags:
   - eventName
   - errorCode
   - requestParameters.instanceType
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/previously_seen_users_in_cloudtrail.yml

@@ -37,17 +37,4 @@ tags:
   - eventName
   - userIdentity.arn
   - src
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml

@@ -39,17 +39,4 @@ tags:
   - eventName
   - userIdentity.arn
   - src
-  security_domain: network
-  kill_chain_phases:
-  - Exploitation
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: field
-    type: Unknown
-    role:
-    - Unknown
+  security_domain: network

baselines/dnstwist_domain_names.yml

@@ -19,7 +19,6 @@ tags:
   analytic_story:
   - Brand Monitoring
   - Suspicious Emails
-  asset_type: Endpoint
   detections:
   - Monitor Email For Brand Abuse
   - Monitor DNS For Brand Abuse
@@ -28,19 +27,6 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  kill_chain_phases:
-  - Exploitation
   required_fields:
   - _time
-  security_domain: network
-  confidence: 50
-  impact: 50
-  risk_score: 25
-  context:
-  - Unknown
-  message: tbd
-  observable:
-  - name: dest
-    type: Other
-    role:
-    - Other
+  security_domain: network

contentctl.yml

@@ -13,10 +13,10 @@ app:
 enrichments: false
 build_app: true
 build_api: true
-build_ssa: false
 build_path: dist
-test_instance:
-  splunk_app_username: admin
+test_instances:
+- splunk_app_username: admin
+  instance_name: test_instance
   instance_address: localhost
   hec_port: 8088
   web_ui_port: 8000
@@ -32,9 +32,9 @@ apps:
 # - uid: 263
 #   title: Splunk Enterprise Security
 #   appid: SplunkEnterpriseSecuritySuite
-#   version: 7.3.1
+#   version: 7.3.2
 #   description: description of app
-#   hardcoded_path: apps/splunk-enterprise-security_731.spl
+#   hardcoded_path: apps/splunk-enterprise-security_7312.spl
 - uid: 1621
   title: Splunk Common Information Model (CIM)
   appid: Splunk_SA_CIM
@@ -194,5 +194,3 @@ apps:
   version: 3.2.1
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/crowdstrike-falcon-event-streams-technical-add-on_321.tgz
-
-githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd

detections/application/crushftp_server_side_template_injection.yml

@@ -52,7 +52,6 @@ tags:
   - user
   - action
   - message
-  risk_score: 64
   security_domain: network
   cve:
   - CVE-2024-4040

detections/application/detect_distributed_password_spray_attempts.yml

@@ -66,7 +66,6 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  risk_score: 49
   required_fields:
   - Authentication.action
   - Authentication.user

detections/application/detect_new_login_attempts_to_routers.yml

@@ -49,5 +49,4 @@ tags:
   - Authentication.dest_category
   - Authentication.dest
   - Authentication.user
-  risk_score: 25
   security_domain: network

detections/application/detect_password_spray_attempts.yml

@@ -61,7 +61,6 @@ tags:
   - Splunk Enterprise
   - Splunk Enterprise Security
   - Splunk Cloud
-  risk_score: 49
   required_fields:
   - Authentication.action
   - Authentication.user

detections/application/email_attachments_with_lots_of_spaces.yml

@@ -64,5 +64,4 @@ tags:
   - All_Email.src_user
   - All_Email.file_name
   - All_Email.message_id
-  risk_score: 25
   security_domain: network

detections/application/email_files_written_outside_of_the_outlook_directory.yml

@@ -58,5 +58,4 @@ tags:
   - Filesystem.action
   - Filesystem.process_id
   - Filesystem.dest
-  risk_score: 25
   security_domain: endpoint

detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml

@@ -63,5 +63,4 @@ tags:
   - All_Traffic.bytes_out
   - All_Traffic.src_category
   - All_Traffic.dest_ip
-  risk_score: 25
   security_domain: network

detections/application/monitor_email_for_brand_abuse.yml

@@ -48,5 +48,4 @@ tags:
   - All_Email.recipient
   - All_Email.src_user
   - All_Email.message_id
-  risk_score: 25
   security_domain: network

detections/application/no_windows_updates_in_a_time_frame.yml

@@ -50,5 +50,4 @@ tags:
   - Updates.status
   - Updates.vendor_product
   - Updates.dest
-  risk_score: 25
   security_domain: endpoint

detections/application/okta_authentication_failed_during_mfa_challenge.yml

@@ -67,7 +67,6 @@ tags:
   - Authentication.signature
   - Authentication.method
   - Authentication.src
-  risk_score: 48
   security_domain: identity
 tests:
 - name: True Positive Test

detections/application/okta_idp_lifecycle_modifications.yml

@@ -64,7 +64,6 @@ tags:
   - user_agent
   - command
   - description
-  risk_score: 81
   security_domain: identity
 tests:
 - name: True Positive Test

detections/application/okta_mfa_exhaustion_hunt.yml

@@ -61,7 +61,6 @@ tags:
   - src_ip
   - eventType
   - status
-  risk_score: 18
   security_domain: access
 tests:
 - name: True Positive Test

detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml

@@ -74,5 +74,4 @@ tags:
   - client.userAgent.rawUserAgent
   - debugContext.debugData.behaviors
   - group_push_time
-  risk_score: 64
   security_domain: access

detections/application/okta_multi_factor_authentication_disabled.yml

@@ -61,7 +61,6 @@ tags:
   - All_Changes.result
   - All_Changes.src
   - sourcetype
-  risk_score: 30
   security_domain: identity
 tests:
 - name: True Positive Test

detections/application/okta_multiple_accounts_locked_out.yml

@@ -59,7 +59,6 @@ tags:
   - All_Changes.result
   - All_Changes.src
   - sourcetype
-  risk_score: 49
   security_domain: identity
 tests:
 - name: True Positive Test