another round of lookup file updates

pyth0n1c · pyth0n1c · commit 32da5d262a5f · 2024-12-23T15:45:58.000-08:00
diff --git a/lookups/api_call_by_user_baseline.yml b/lookups/api_call_by_user_baseline.yml
@@ -1,5 +1,15 @@
+name: api_call_by_user_baseline
+date: 2024-12-23
+version: 2
+id: 6f4b0d42-5f24-4992-98f9-aebbc7ced9bf
+author: Splunk Threat Research Team
+lookup_type: kvstore
 description: A collection that will contain the baseline information for number of
   AWS API calls per user
 collection: api_call_by_user_baseline
-name: api_call_by_user_baseline
-fields_list: arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls
+fields_list: 
+- arn
+- latestCount
+- numDataPoints
+- avgApiCalls
+- stdevApiCalls
diff --git a/lookups/is_windows_system_file.yml b/lookups/is_windows_system_file.yml
@@ -1,6 +1,10 @@
-default_match: 'false'
+name: is_windows_system_file
+date: 2024-12-23
+version: 2
+id: ce238622-4d8f-41a4-a747-5d0adab9c854
+author: Splunk Threat Research Team
+lookup_type: csv
+default_match: false
 description: A full baseline of executable files in Windows\System32 and Windows\Syswow64, including sub-directories from Server 2016 and Windows 10.
-filename: is_windows_system_file20231221.csv
 min_matches: 1
-name: is_windows_system_file
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/k8s_process_resource_baseline.yml b/lookups/k8s_process_resource_baseline.yml
@@ -1,4 +1,30 @@
+name: k8s_process_resource_baseline
+date: 2024-12-23
+version: 2
+id: 6deb2883-faf8-4f78-bf88-ad67ccc8dfc0
+author: Splunk Threat Research Team
+lookup_type: kvstore
 description: A place holder for a list of used Kuberntes Process Resource
 collection: k8s_process_resource_baseline
-name: k8s_process_resource_baseline
-fields_list: host.name, k8s.cluster.name, k8s.node.name, process.executable.name, avg_process.cpu.time, avg_process.cpu.utilization, avg_process.disk.io, avg_process.disk.operations, avg_process.memory.usage, avg_process.memory.utilization, avg_process.memory.virtual, avg_process.threads, stdev_process.cpu.time, stdev_process.cpu.utilization, stdev_process.disk.io, stdev_process.disk.operations, stdev_process.memory.usage, stdev_process.memory.utilization, stdev_process.memory.virtual, stdev_process.threads, key
+fields_list: 
+- host.name
+- k8s.cluster.name
+- k8s.node.name
+- process.executable.name
+- avg_process.cpu.time
+- avg_process.cpu.utilization
+- avg_process.disk.io
+- avg_process.disk.operations
+- avg_process.memory.usage
+- avg_process.memory.utilization
+- avg_process.memory.virtual
+- avg_process.threads
+- stdev_process.cpu.time
+- stdev_process.cpu.utilization
+- stdev_process.disk.io
+- stdev_process.disk.operations
+- stdev_process.memory.usage
+- stdev_process.memory.utilization
+- stdev_process.memory.virtual
+- stdev_process.threads
+- key
diff --git a/lookups/legit_domains.yml b/lookups/legit_domains.yml
@@ -1,3 +1,7 @@
-description: A list of legit domains to be used as an ignore list for possible phishing sites
-filename: legit_domains.csv
 name: legit_domains
+date: 2024-12-23
+version: 2
+id: 06602f3e-0dcc-47ef-aabc-85a4ad782442
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of legit domains to be used as an ignore list for possible phishing sites
diff --git a/lookups/linux_tool_discovery_process.yml b/lookups/linux_tool_discovery_process.yml
@@ -1,7 +1,12 @@
-description: A list of suspicious bash commonly used by attackers via scripts
-filename: linux_tool_discovery_process.csv
 name: linux_tool_discovery_process
-default_match: 'false'
-match_type: WILDCARD(process)
+date: 2024-12-23
+version: 2
+id: f0d8b1c8-4ca0-4765-858a-ab0dea68c399
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of suspicious bash commonly used by attackers via scripts
+default_match: false
+match_type: 
+- WILDCARD(process)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/local_file_inclusion_paths.yml b/lookups/local_file_inclusion_paths.yml
@@ -1,7 +1,12 @@
-description: A list of interesting files in a local file inclusion attack
-filename: local_file_inclusion_paths.csv
 name: local_file_inclusion_paths
-default_match: 'false'
-match_type: WILDCARD(local_file_inclusion_paths)
+date: 2024-12-23
+version: 2
+id: 10efe0a8-ec54-4f86-8d11-677a7ac65d64
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of interesting files in a local file inclusion attack
+default_match: false
+match_type: 
+- WILDCARD(local_file_inclusion_paths)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/lolbas_file_path.yml b/lookups/lolbas_file_path.yml
@@ -1,8 +1,14 @@
-description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project.
-filename: lolbas_file_path20240725.csv
 name: lolbas_file_path
-default_match: 'false'
-match_type: WILDCARD(lolbas_file_name),WILDCARD(lolbas_file_path)
+date: 2024-12-23
+version: 2
+id: b88d9c91-33c6-408a-8ef0-00806932f8c5
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of LOLBAS and their file path used in determining if a script or binary is valid on windows, Updated for 2024 from lolbas project.
+default_match: false
+match_type: 
+- WILDCARD(lolbas_file_name)
+- WILDCARD(lolbas_file_path)
 min_matches: 1
 max_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/loldrivers.yml b/lookups/loldrivers.yml
@@ -1,7 +1,12 @@
-description: A list of known vulnerable drivers
-filename: loldrivers.csv
 name: loldrivers
-default_match: 'false'
-match_type: WILDCARD(driver_name)
+date: 2024-12-23
+version: 2
+id: a4c71880-bb4a-4e2c-9b44-be70cf181fb3
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of known vulnerable drivers
+default_match: false
+match_type: 
+- WILDCARD(driver_name)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/lookup_rare_process_allow_list_default.yml b/lookups/lookup_rare_process_allow_list_default.yml
@@ -1,7 +1,12 @@
-case_sensitive_match: 'false'
-default_match: 'false'
-description: A list of rare processes that are legitimate that is provided by Splunk
-filename: rare_process_allow_list_default.csv
-match_type: WILDCARD(process)
-min_matches: 1
 name: lookup_rare_process_allow_list_default
+date: 2024-12-23
+version: 2
+id: fc0c452e-47b1-4931-ba41-de5b7c6ed92b
+author: Splunk Threat Research Team
+lookup_type: csv
+case_sensitive_match: false
+default_match: false
+description: A list of rare processes that are legitimate that is provided by Splunk
+match_type: 
+- WILDCARD(process)
+min_matches: 1
diff --git a/lookups/lookup_rare_process_allow_list_local.yml b/lookups/lookup_rare_process_allow_list_local.yml
@@ -1,7 +1,13 @@
-case_sensitive_match: 'false'
-default_match: 'false'
+name: lookup_rare_process_allow_list_local
+date: 2024-12-23
+version: 2
+id: 7aec9c17-69b8-4a0b-8f8d-d3ea9b0e2adb
+author: Splunk Threat Research Team
+lookup_type: csv
+case_sensitive_match: false
+default_match: false
 description: A list of rare processes that are legitimate provided by the end user
-filename: rare_process_allow_list_local.csv
-match_type: WILDCARD(process)
+match_type: 
+- WILDCARD(process)
 min_matches: 1
-name: lookup_rare_process_allow_list_local
+
diff --git a/lookups/lookup_uncommon_processes_default.yml b/lookups/lookup_uncommon_processes_default.yml
@@ -1,5 +1,11 @@
-case_sensitive_match: 'false'
-description: A list of processes that are not common
-filename: uncommon_processes_default.csv
-match_type: WILDCARD(process)
 name: lookup_uncommon_processes_default
+date: 2024-12-23
+version: 2
+id: 486eba44-2238-4246-98ca-1ff9b6e1c023
+author: Splunk Threat Research Team
+lookup_type: csv
+case_sensitive_match: false
+description: A list of processes that are not common
+match_type: 
+- WILDCARD(process)
+
diff --git a/lookups/lookup_uncommon_processes_local.yml b/lookups/lookup_uncommon_processes_local.yml
@@ -1,5 +1,11 @@
-case_sensitive_match: 'false'
-description: A list of processes that are not common
-filename: uncommon_processes_local.csv
-match_type: WILDCARD(process)
 name: lookup_uncommon_processes_local
+date: 2024-12-23
+version: 2
+id: 3ece1ae5-4389-485e-b2b9-4cafdb6924dc
+author: Splunk Threat Research Team
+lookup_type: csv
+case_sensitive_match: false
+description: A list of processes that are not common
+match_type: 
+- WILDCARD(process)
+
diff --git a/lookups/mandatory_job_for_workflow.yml b/lookups/mandatory_job_for_workflow.yml
@@ -1,3 +1,9 @@
-description: A lookup file that will be used to define the mandatory job for workflow
-filename: mandatory_job_for_workflow.csv
 name: mandatory_job_for_workflow
+date: 2024-12-23
+version: 2
+id: 76d805e3-b538-43c7-bd8b-f5fd62af596a
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A lookup file that will be used to define the mandatory job for workflow
+
+
diff --git a/lookups/mandatory_step_for_job.yml b/lookups/mandatory_step_for_job.yml
@@ -1,3 +1,7 @@
-description: A lookup file that will be used to define the mandatory step for job
-filename: mandatory_step_for_job.csv
 name: mandatory_step_for_job
+date: 2024-12-23
+version: 2
+id: ac92a35c-26c4-4f6c-a005-d152b5b343b2
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A lookup file that will be used to define the mandatory step for job
diff --git a/lookups/msad_guid_lookup.yml b/lookups/msad_guid_lookup.yml
@@ -1,3 +1,8 @@
+name: msad_guid_lookup
+date: 2024-12-23
+version: 2
+id: d8812c9c-9a4c-4b4b-9995-31db35c0b8cf
+author: Splunk Threat Research Team
+lookup_type: csv
 description: A lookup file that will contain translations for AD object ace control access rights guids
-filename: msad_guid_lookup.csv
-name: msad_guid_lookup
+
diff --git a/lookups/privileged_azure_ad_roles.yml b/lookups/privileged_azure_ad_roles.yml
@@ -1,7 +1,13 @@
-description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs.
-filename: privileged_azure_ad_roles20240807.csv
 name: privileged_azure_ad_roles
-default_match: 'false'
-match_type: WILDCARD(azureadrole),WILDCARD(azuretemplateid)
+date: 2024-12-23
+version: 2
+id: 4dbf0357-b5fc-4be2-9058-804d6a60b126
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of privileged Azure Active Directory roles, includes updates for 2024 and template IDs.
+default_match: false
+match_type: 
+- WILDCARD(azureadrole)
+- WILDCARD(azuretemplateid)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/ransomware_extensions_lookup.yml b/lookups/ransomware_extensions_lookup.yml
@@ -1,7 +1,13 @@
-default_match: 'false'
+name: ransomware_extensions_lookup
+date: 2024-12-23
+version: 2
+id: eaf9e6bb-55fa-4bab-89a5-b0229638c526
+author: Splunk Threat Research Team
+lookup_type: csv
+default_match: false
 description: A list of file extensions that are associated with ransomware
 filename: ransomware_extensions_20241212.csv
-match_type: WILDCARD(Extensions)
+match_type: 
+- WILDCARD(Extensions)
 min_matches: 1
-name: ransomware_extensions_lookup
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/ransomware_notes_lookup.yml b/lookups/ransomware_notes_lookup.yml
@@ -1,7 +1,12 @@
-default_match: 'false'
+name: ransomware_notes_lookup
+date: 2024-12-23
+version: 2
+id: 93d9fb06-035e-496c-91d5-7a79543ce1e1
+author: Splunk Threat Research Team
+lookup_type: csv
+default_match: false
 description: A list of file names that are ransomware note files
-filename: ransomware_notes_20231219.csv
-match_type: WILDCARD(ransomware_notes)
+match_type: 
+- WILDCARD(ransomware_notes)
 min_matches: 1
-name: ransomware_notes_lookup
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/remote_access_software.yml b/lookups/remote_access_software.yml
@@ -1,8 +1,15 @@
-description: A list of Remote Access Software
-filename: remote_access_software20240726.csv
 name: remote_access_software
-default_match: 'false'
-match_type: WILDCARD(remote_utility),WILDCARD(remote_domain),WILDCARD(remote_utility_fileinfo)
+date: 2024-12-23
+version: 2
+id: f3b92ff9-667c-481f-b29d-458e10d48508
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of Remote Access Software
+default_match: false
+match_type: 
+- WILDCARD(remote_utility)
+- WILDCARD(remote_domain)
+- WILDCARD(remote_utility_fileinfo)
 min_matches: 1
 max_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/remote_access_software_exceptions.yml b/lookups/remote_access_software_exceptions.yml
@@ -1,4 +1,16 @@
+name: remote_access_software_exceptions
+date: 2024-12-23
+version: 2
+id: 2742e885-0706-494b-8f56-a90a3e8d33b4
+author: Splunk Threat Research Team
+lookup_type: kvstore
 description: A list used to provide global exceptions to remote access monitoring content.
 collection: remote_access_software_exceptions
-name: remote_access_software_exceptions
-fields_list: _key, asset, software, exception_date, exception_ttl_days, exception, comment
+fields_list: 
+- _key
+- asset
+-  software
+- exception_date
+- exception_ttl_days
+- exception
+- comment
diff --git a/lookups/s3_deletion_baseline.yml b/lookups/s3_deletion_baseline.yml
@@ -1,4 +1,15 @@
+name: s3_deletion_baseline
+date: 2024-12-23
+version: 2
+id: 45e5d266-f80b-43f8-b4a7-87e070da4e70
+author: Splunk Threat Research Team
+lookup_type: kvstore
 description: A placeholder for the baseline information for AWS S3 deletions
 collection: s3_deletion_baseline
-name: s3_deletion_baseline
-fields_list: _key, arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls
+fields_list: 
+- _key
+- arn
+- latestCount
+- numDataPoints
+- avgApiCalls
+- stdevApiCalls
diff --git a/lookups/security_services_lookup.yml b/lookups/security_services_lookup.yml
diff --git a/lookups/suspicious_writes_lookup.yml b/lookups/suspicious_writes_lookup.yml
diff --git a/lookups/windows_protocol_handlers.yml b/lookups/windows_protocol_handlers.yml
diff --git a/lookups/zoom_first_time_child_process.yml b/lookups/zoom_first_time_child_process.yml
