add new deployment functionality

splunk · Jan 4, 2023 · b352a14 · b352a14
1 parent 5ae53c9
commit b352a14
Show file tree

Hide file tree

Showing 83 changed files with 204 additions and 310 deletions.
diff --git a/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml b/baselines/baseline_of_blocked_outbound_traffic_from_aws.yml
@@ -28,8 +28,6 @@ tags:
   - AWS Network ACL Activity
   - Suspicious AWS Traffic
   - Command and Control
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect Spike in blocked Outbound Traffic from your AWS
   product:

diff --git a/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml b/baselines/baseline_of_cloud_infrastructure_api_calls_per_user.yml
@@ -34,8 +34,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious Cloud User Activities
-  deployments:
-  - Weekly Model Rebuild 90 Day Lookback
   detections:
   - Abnormally High Number Of Cloud Infrastructure API Calls
   product:
@@ -47,3 +45,9 @@ tags:
   - All_Changes.user
   - All_Changes.status
   security_domain: network
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -90d@d
+    latest_time: -1d@d
+    schedule_window: auto
diff --git a/baselines/baseline_of_cloud_instances_destroyed.yml b/baselines/baseline_of_cloud_instances_destroyed.yml
@@ -37,8 +37,6 @@ tags:
   analytic_story:
   - Suspicious Cloud Instance Activities
   - Cloud Cryptomining
-  deployments:
-  - Weekly Model Rebuild 90 Day Lookback
   detections:
   - Abnormally High Number Of Cloud Instances Destroyed
   product:
@@ -51,3 +49,9 @@ tags:
   - All_Changes.status
   - All_Changes.object_category
   security_domain: network
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -90d@d
+    latest_time: -1d@d
+    schedule_window: auto
diff --git a/baselines/baseline_of_cloud_instances_launched.yml b/baselines/baseline_of_cloud_instances_launched.yml
@@ -37,8 +37,6 @@ tags:
   analytic_story:
   - Cloud Cryptomining
   - Suspicious Cloud Instance Activities
-  deployments:
-  - Weekly Model Rebuild 90 Day Lookback
   detections:
   - Abnormally High Number Of Cloud Instances Launched
   product:
@@ -51,3 +49,9 @@ tags:
   - All_Changes.status
   - All_Changes.object_category
   security_domain: network
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -90d@d
+    latest_time: -1d@d
+    schedule_window: auto
diff --git a/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml b/baselines/baseline_of_cloud_security_group_api_calls_per_user.yml
@@ -33,8 +33,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious Cloud User Activities
-  deployments:
-  - Weekly Model Rebuild 90 Day Lookback
   detections:
   - Abnormally High Number Of Cloud Security Group API Calls
   product:
@@ -47,3 +45,9 @@ tags:
   - All_Changes.status
   - All_Changes.object_category
   security_domain: network
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -90d@d
+    latest_time: -1d@d
+    schedule_window: auto
diff --git a/baselines/baseline_of_command_line_length___mltk.yml b/baselines/baseline_of_command_line_length___mltk.yml
@@ -34,8 +34,6 @@ tags:
   - Suspicious Command-Line Executions
   - Suspicious MSHTA Activity
   - Unusual Processes
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect Prohibited Applications Spawning cmd.exe
   - Unusually Long Command Line - MLTK
@@ -50,3 +48,4 @@ tags:
   - Processes.process_name
   - Processes.process
   security_domain: endpoint
+
diff --git a/baselines/baseline_of_dns_query_length___mltk.yml b/baselines/baseline_of_dns_query_length___mltk.yml
@@ -30,8 +30,6 @@ tags:
   - Hidden Cobra Malware
   - Suspicious DNS Traffic
   - Command and Control
-  deployments:
-  - Daily Cache Updates
   detections:
   - DNS Query Length Outliers - MLTK
   product:

diff --git a/baselines/baseline_of_network_acl_activity_by_arn.yml b/baselines/baseline_of_network_acl_activity_by_arn.yml
@@ -23,8 +23,6 @@ references: []
 tags:
   analytic_story:
   - AWS Network ACL Activity
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect Spike in Network ACL Activity
   product:

diff --git a/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml b/baselines/baseline_of_s3_bucket_deletion_activity_by_arn.yml
@@ -22,8 +22,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious AWS S3 Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect Spike in S3 Bucket deletion
   product:

diff --git a/baselines/baseline_of_security_group_activity_by_arn.yml b/baselines/baseline_of_security_group_activity_by_arn.yml
@@ -23,8 +23,6 @@ references: []
 tags:
   analytic_story:
   - AWS User Monitoring
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect Spike in Security Group Activity
   product:

diff --git a/baselines/baseline_of_smb_traffic___mltk.yml b/baselines/baseline_of_smb_traffic___mltk.yml
@@ -40,8 +40,6 @@ tags:
   - Hidden Cobra Malware
   - Netsh Abuse
   - Ransomware
-  deployments:
-  - Daily Cache Updates
   detections:
   - Processes launching netsh
   - SMB Traffic Spike - MLTK

diff --git a/baselines/count_of_assets_by_category.yml b/baselines/count_of_assets_by_category.yml
@@ -19,8 +19,6 @@ references: []
 tags:
   analytic_story:
   - Asset Tracking
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect Unauthorized Assets by MAC address
   product:

diff --git a/baselines/count_of_unique_ips_connecting_to_ports.yml b/baselines/count_of_unique_ips_connecting_to_ports.yml
@@ -20,8 +20,6 @@ tags:
   - Prohibited Traffic Allowed or Protocol Mismatch
   - Ransomware
   - Command and Control
-  deployments:
-  - Daily Cache Updates
   detections:
   - Prohibited Network Traffic Allowed
   product:

diff --git a/baselines/create_a_list_of_approved_aws_service_accounts.yml b/baselines/create_a_list_of_approved_aws_service_accounts.yml
@@ -21,8 +21,6 @@ references: []
 tags:
   analytic_story:
   - AWS User Monitoring
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect AWS API Activities From Unapproved Accounts
   product:

diff --git a/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml b/baselines/deprecated/add_prohibited_processes_to_enterprise_security.yml
@@ -21,8 +21,6 @@ tags:
   - Monitor for Unauthorized Software
   - SamSam Ransomware
   asset_type: Endpoint
-  deployments:
-  - Daily Cache Updates
   detections:
   - Prohibited Software On Endpoint
   product:

diff --git a/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml b/baselines/deprecated/baseline_of_api_calls_per_user_arn.yml
@@ -22,8 +22,6 @@ references: []
 tags:
   analytic_story:
   - AWS User Monitoring
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect Spike in AWS API Activity
   product:

diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_launched_by_user___mltk.yml
@@ -33,8 +33,6 @@ tags:
   analytic_story:
   - AWS Cryptomining
   - Suspicious AWS EC2 Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - Abnormally High AWS Instances Launched by User - MLTK
   product:

diff --git a/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml b/baselines/deprecated/baseline_of_excessive_aws_instances_terminated_by_user___mltk.yml
@@ -33,8 +33,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious AWS EC2 Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - Abnormally High AWS Instances Terminated by User - MLTK
   product:

diff --git a/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml b/baselines/deprecated/previously_seen_api_call_per_user_roles_in_cloudtrail.yml
@@ -22,8 +22,6 @@ references: []
 tags:
   analytic_story:
   - AWS User Monitoring
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect new API calls from user roles
   product:

diff --git a/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml b/baselines/deprecated/previously_seen_aws_provisioning_activity_sources.yml
@@ -20,8 +20,6 @@ references: []
 tags:
   analytic_story:
   - AWS Suspicious Provisioning Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - AWS Cloud Provisioning From Previously Unseen IP Address
   - AWS Cloud Provisioning From Previously Unseen City

diff --git a/baselines/deprecated/previously_seen_ec2_amis.yml b/baselines/deprecated/previously_seen_ec2_amis.yml
@@ -18,8 +18,6 @@ references: []
 tags:
   analytic_story:
   - AWS Cryptomining
-  deployments:
-  - Daily Cache Updates
   detections:
   - EC2 Instance Started With Previously Unseen AMI
   product:

diff --git a/baselines/deprecated/previously_seen_ec2_instance_types.yml b/baselines/deprecated/previously_seen_ec2_instance_types.yml
@@ -18,8 +18,6 @@ references: []
 tags:
   analytic_story:
   - AWS Cryptomining
-  deployments:
-  - Daily Cache Updates
   detections:
   - EC2 Instance Started With Previously Unseen Instance Type
   product:

diff --git a/baselines/deprecated/previously_seen_ec2_launches_by_user.yml b/baselines/deprecated/previously_seen_ec2_launches_by_user.yml
@@ -19,8 +19,6 @@ tags:
   analytic_story:
   - AWS Cryptomining
   - Suspicious AWS EC2 Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - EC2 Instance Started With Previously Unseen User
   product:

diff --git a/baselines/deprecated/previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/previously_seen_users_in_cloudtrail.yml
@@ -23,8 +23,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious AWS Login Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect AWS Console Login by User from New Country
   - Detect AWS Console Login by User from New Region

diff --git a/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml b/baselines/deprecated/update_previously_seen_users_in_cloudtrail.yml
@@ -25,8 +25,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious AWS Login Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - Detect AWS Console Login by User from New Country
   - Detect AWS Console Login by User from New Region

diff --git a/baselines/discover_dns_records.yml b/baselines/discover_dns_records.yml
@@ -27,8 +27,6 @@ references: []
 tags:
   analytic_story:
   - DNS Hijacking
-  deployments:
-  - Daily Cache Updates
   detections:
   - DNS record changed
   product:

diff --git a/baselines/dnstwist_domain_names.yml b/baselines/dnstwist_domain_names.yml
@@ -20,8 +20,6 @@ tags:
   - Brand Monitoring
   - Suspicious Emails
   asset_type: Endpoint
-  deployments:
-  - Daily Cache Updates
   detections:
   - Monitor Email For Brand Abuse
   - Monitor DNS For Brand Abuse

diff --git a/baselines/identify_systems_creating_remote_desktop_traffic.yml b/baselines/identify_systems_creating_remote_desktop_traffic.yml
@@ -21,8 +21,6 @@ tags:
   - Ryuk Ransomware
   - Hidden Cobra Malware
   - Active Directory Lateral Movement
-  deployments:
-  - Daily Cache Updates
   detections:
   - Remote Desktop Network Traffic
   product:

diff --git a/baselines/identify_systems_receiving_remote_desktop_traffic.yml b/baselines/identify_systems_receiving_remote_desktop_traffic.yml
@@ -22,8 +22,6 @@ tags:
   - Ryuk Ransomware
   - Hidden Cobra Malware
   - Active Directory Lateral Movement
-  deployments:
-  - Daily Cache Updates
   detections:
   - Remote Desktop Network Traffic
   product:

diff --git a/baselines/identify_systems_using_remote_desktop.yml b/baselines/identify_systems_using_remote_desktop.yml
@@ -21,8 +21,6 @@ tags:
   - Ryuk Ransomware
   - Hidden Cobra Malware
   - Active Directory Lateral Movement
-  deployments:
-  - Daily Cache Updates
   detections:
   - Remote Desktop Network Traffic
   product:

diff --git a/baselines/monitor_successful_backups.yml b/baselines/monitor_successful_backups.yml
@@ -18,8 +18,6 @@ references: []
 tags:
   analytic_story:
   - Monitor Backup Solution
-  deployments:
-  - Daily Cache Updates
   detections:
   - Unsuccessful Netbackup backups
   product:

diff --git a/baselines/monitor_unsuccessful_backups.yml b/baselines/monitor_unsuccessful_backups.yml
@@ -17,8 +17,6 @@ references: []
 tags:
   analytic_story:
   - Monitor Backup Solution
-  deployments:
-  - Daily Cache Updates
   detections:
   - Unsuccessful Netbackup backups
   product:

diff --git a/baselines/previously_seen_aws_cross_account_activity.yml b/baselines/previously_seen_aws_cross_account_activity.yml
@@ -22,8 +22,6 @@ references: []
 tags:
   analytic_story:
   - AWS Cross Account Activity
-  deployments:
-  - Daily Cache Updates
   detections:
   - AWS Cross Account Activity From Previously Unseen Account
   product:

diff --git a/baselines/previously_seen_aws_cross_account_activity___initial.yml b/baselines/previously_seen_aws_cross_account_activity___initial.yml
@@ -26,8 +26,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious Cloud Authentication Activities
-  deployments:
-  - 90 Day Baseline
   detections:
   - AWS Cross Account Activity From Previously Unseen Account
   product:
@@ -42,3 +40,9 @@ tags:
   - Authentication.src
   - Authentication.user_role
   security_domain: network
+deployment:
+  scheduling:
+    cron_schedule: 0 2 * * 0
+    earliest_time: -90d@d
+    latest_time: -1d@d
+    schedule_window: auto
diff --git a/baselines/previously_seen_aws_cross_account_activity___update.yml b/baselines/previously_seen_aws_cross_account_activity___update.yml
@@ -27,8 +27,6 @@ references: []
 tags:
   analytic_story:
   - Suspicious Cloud Authentication Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - AWS Cross Account Activity From Previously Unseen Account
   product:

diff --git a/baselines/previously_seen_aws_regions.yml b/baselines/previously_seen_aws_regions.yml
@@ -20,8 +20,6 @@ tags:
   analytic_story:
   - AWS Cryptomining
   - Suspicious AWS EC2 Activities
-  deployments:
-  - Daily Cache Updates
   detections:
   - EC2 Instance Started In Previously Unseen Region
   product: