Merge branch 'develop' into APT37

Author: patel-bhavin

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.14.0
+  version: 5.16.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -38,15 +38,15 @@ apps:
 - uid: 6553
   title: Splunk Add-on for Okta Identity Cloud
   appid: Splunk_TA_okta_identity_cloud
-  version: 4.0.0
+  version: 4.1.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_400.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_410.tgz
 - uid: 7404
   title: Cisco Security Cloud
   appid: CiscoSecurityCloud
-  version: 3.4.1
+  version: 3.4.2
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_341.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_342.tgz
 - uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon
@@ -77,9 +77,9 @@ apps:
 - uid: 833
   title: Splunk Add-on for Unix and Linux
   appid: Splunk_TA_nix
-  version: 10.1.0
+  version: 10.2.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1010.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1020.tgz
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR
@@ -167,9 +167,9 @@ apps:
 - uid: 4055
   title: Splunk Add-on for Microsoft Office 365
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365
-  version: 4.9.0
+  version: 5.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_490.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_500.tgz
 - uid: 2890
   title: Splunk Machine Learning Toolkit
   appid: SPLUNK_MACHINE_LEARNING_TOOLKIT
@@ -185,9 +185,9 @@ apps:
 - uid: 6207
   title: Splunk Add-on for Microsoft Security
   appid: Splunk_TA_MS_Security
-  version: 2.5.4
+  version: 2.6.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_254.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_260.tgz
 - uid: 2734
   title: URL Toolbox
   appid: URL_TOOLBOX
@@ -249,8 +249,8 @@ apps:
 - uid: 1467
   title: Cisco Networks Add-on
   appid: TA-cisco_ios
-  version: 2.7.8
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/add-on-for-cisco-network-data_278.tgz
+  version: 2.7.9
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/add-on-for-cisco-network-data_279.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
 test_data_caches:
 - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/

data_sources/aws_cloudwatchlogs_vpcflow.yml

@@ -73,7 +73,6 @@ output_fields:
 - action
 - src
 - src_ip
-- src_port
 - dest
 - dest_ip
 - dest_port

data_sources/cisco_ai_defense_alerts.yml

@@ -10,5 +10,5 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.1
+  version: 3.4.2
 fields: null

data_sources/cisco_asa_logs.yml

@@ -0,0 +1,138 @@
+name: Cisco ASA Logs
+id: 3f2a9b6d-1c8e-4f7b-a2d3-8b7f1c2a9d4e
+version: 1
+date: '2025-09-23'
+author: Bhavin Patel, Splunk
+description: "Data source object for Cisco ASA system logs. Cisco ASA logs provide\
+  \ firewall operational and security telemetry (connection events, ACL denies, VPN\
+  \ events, NAT translations, and device health). Deploy the Splunk Add-on for Cisco\
+  \ ASA (TA-cisco_asa) on indexers/heavy forwarders and the Cisco ASA App on search\
+  \ heads for best parsing, CIM mapping, and dashboards. This data is ingested via\
+  \ SYSLOG. You must be ingesting Cisco ASA syslog data into your Splunk environment.\
+  \ To ensure all detections work, configure your ASA and FTD devices to generate\
+  \ and forward both debug and informational level syslog messages before they are\
+  \ sent to Splunk. A few analytics are designed to be used with comprehensive logging\
+  \ enabled, as it relies on the presence of specific message IDs. You can find specific\
+  \ instructions on how to set this up here : https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#toc-hId--1451069880.\
+  \ \n"
+source: cisco:asa
+sourcetype: cisco:asa
+separator: null
+supported_TA:
+- name: Cisco Security Cloud
+  url: https://splunkbase.splunk.com/app/7404
+  version: 3.4.2
+fields:
+- Cisco_ASA_action
+- Cisco_ASA_message_id
+- Cisco_ASA_user
+- Cisco_ASA_vendor_action
+- IP
+- Username
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
+- _time
+- acl
+- action
+- app
+- assigned_ip
+- bytes
+- category
+- command
+- communication_protocol
+- connections_in_use
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_host
+- dest_interface
+- dest_ip
+- dest_nt_domain
+- dest_port
+- dest_public_port
+- dest_translated_host
+- dest_translated_ip
+- dest_translated_port
+- dest_user
+- dest_zone
+- direction
+- duration
+- duration_day
+- duration_hour
+- duration_minute
+- duration_second
+- dvc
+- eventtype
+- group
+- host
+- ids_type
+- index
+- laction
+- linecount
+- most_used_connections
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_version
+- punct
+- reason
+- result
+- rule
+- rule_name
+- session_id
+- severity
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_host
+- src_interface
+- src_ip
+- src_nt_domain
+- src_port
+- src_public_port
+- src_translated_host
+- src_translated_ip
+- src_translated_port
+- src_user
+- src_zone
+- ssl_is_valid
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- teardown_initiator
+- timeendpos
+- timestartpos
+- transport
+- type
+- user
+- vendor
+- vendor_action
+- vendor_product
+- vendor_severity
+- zone
+example_log: 'Sep 23 19:27:50 18.144.133.67 :2025-09-23T19:27:49Z: %ASA-session-7-609002:
+  Teardown local-host management:54.245.234.201 duration 0:02:01 Sep 23 18:07:00 18.144.133.67
+  :2025-09-23T18:07:00Z: %ASA-session-7-710005: TCP request discarded from 198.27.166.158/55508
+  to management:172.31.12.229/443'

data_sources/cisco_duo_activity.yml

@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.1
+  version: 3.4.2
 fields:
 - access_device.browser
 - access_device.browser_version

data_sources/cisco_duo_administrator.yml

@@ -10,7 +10,7 @@ separator: null
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.1
+  version: 3.4.2
 fields:
 - action
 - actionlabel

data_sources/cisco_ios_logs.yml

@@ -3,14 +3,22 @@ id: 9e4c8d7b-6f5e-4a3d-b2c1-0a9b8c7d6e5f
 version: 1
 date: '2025-08-21'
 author: Michael Haag, Splunk
-description: Data source object for Cisco IOS system logs. Cisco IOS logs provide operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes these events by setting proper sourcetypes and extracting fields for switches, routers, controllers, and access points; deploy the TA on indexers/HFs and search heads, and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This data is ingested via SYSLOG.
+description: Data source object for Cisco IOS system logs. Cisco IOS logs provide
+  operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS
+  XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes
+  these events by setting proper sourcetypes and extracting fields for switches, routers,
+  controllers, and access points; deploy the TA on indexers/HFs and search heads,
+  and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include
+  Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent
+  investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This
+  data is ingested via SYSLOG.
 source: cisco:ios
 sourcetype: cisco:ios
 separator: null
 supported_TA:
 - name: Cisco Networks Add-on
   url: https://splunkbase.splunk.com/app/1467
-  version: 2.7.8
+  version: 2.7.9
 fields:
 - _time
 - aci_message_text
@@ -81,7 +89,8 @@ fields:
 output_fields:
 - user
 - dest
-example_log: 'Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured
-  Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15
-  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:username attacker privilege 15 secret *
-  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED'
+example_log: 'Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username:
+  attacker configured Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username:
+  attacker privilege updated with priv-15 Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD:
+  User:ec2-user logged command:username attacker privilege 15 secret * Aug 20 17:10:21.665:
+  %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED'

data_sources/cisco_secure_firewall_threat_defense_connection_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.1
+  version: 3.4.2
 fields:
 - AC_RuleAction
 - action

data_sources/cisco_secure_firewall_threat_defense_file_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.1
+  version: 3.4.2
 fields:
 - app
 - Application

data_sources/cisco_secure_firewall_threat_defense_intrusion_event.yml

@@ -10,7 +10,7 @@ sourcetype: cisco:sfw:estreamer
 supported_TA:
 - name: Cisco Security Cloud
   url: https://splunkbase.splunk.com/app/7404
-  version: 3.4.1
+  version: 3.4.2
 fields:
 - Application
 - Classification