first batch of updates to

pyth0n1c · pyth0n1c · commit 8b1b3d503b32 · 2024-12-23T15:14:19.000-08:00
lookup ymls
diff --git a/lookups/3cx_ioc_domains.yml b/lookups/3cx_ioc_domains.yml
@@ -1,7 +1,12 @@
-description: A list of domains from the 3CX supply chain attack.
-filename: 3cx_ioc_domains.csv
 name: 3cx_ioc_domains
-default_match: 'false'
-match_type: WILDCARD(domain)
+date: 2024-12-23
+version: 2
+id: 65c25399-4081-4ef1-b791-86f497d3380d
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of domains from the 3CX supply chain attack.
+default_match: false
+match_type: 
+- WILDCARD(domain)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/lookups/__mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml
@@ -1,4 +1,8 @@
-description: Detect DNS Data Exfiltration using pretrained Model in DSDL
-filename: __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.mlmodel
 name: __mlspl_detect_dns_data_exfiltration_using_pretrained_model_in_dsdl
-case_sensitive_match: 'false'
+date: 2024-12-23
+version: 2
+id: db5df924-c34c-4b0f-9333-a08b2af98e65
+author: Splunk Threat Research Team
+lookup_type: mlmodel
+description: Detect DNS Data Exfiltration using pretrained Model in DSDL
+case_sensitive_match: false
diff --git a/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/lookups/__mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml
@@ -1,4 +1,8 @@
-description: Detect suspicious DNS txt records using Pretrained Model in DSDL
-filename: __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.mlmodel
 name: __mlspl_detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl
-case_sensitive_match: 'false'
+date: 2024-12-23
+version: 2
+id: d5099bcb-420e-4eec-9714-db0590ea4f03
+author: Splunk Threat Research Team
+lookup_type: mlmodel
+description: Detect suspicious DNS txt records using Pretrained Model in DSDL
+case_sensitive_match: false
diff --git a/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/lookups/__mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml
@@ -1,4 +1,8 @@
-description: Detect a suspicious processname using Pretrained Model in DSDL
-filename: __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl.mlmodel
 name: __mlspl_detect_suspicious_processnames_using_pretrained_model_in_dsdl
-case_sensitive_match: 'false'
+date: 2024-12-23
+version: 2
+id: 4660425a-4fdb-4a25-895b-abbd2557aa64
+author: Splunk Threat Research Team
+lookup_type: mlmodel
+description: Detect a suspicious processname using Pretrained Model in DSDL
+case_sensitive_match: false
diff --git a/lookups/__mlspl_pretrained_dga_model_dsdl.yml b/lookups/__mlspl_pretrained_dga_model_dsdl.yml
@@ -1,4 +1,8 @@
-description: Detect DGA domains using Pretrained Model in DSDL
-filename: __mlspl_pretrained_dga_model_dsdl.mlmodel
 name: __mlspl_pretrained_dga_model_dsdl
-case_sensitive_match: 'false'
+date: 2024-12-23
+version: 2
+id: 6c55ccdb-7006-4367-80b6-55bee5eae1a2
+author: Splunk Threat Research Team
+lookup_type: mlmodel
+description: Detect DGA domains using Pretrained Model in DSDL
+case_sensitive_match: false
diff --git a/lookups/__mlspl_unusual_commandline_detection.yml b/lookups/__mlspl_unusual_commandline_detection.yml
@@ -1,6 +1,10 @@
-description: An MLTK model for detecting malicious commandlines
-filename: __mlspl_unusual_commandline_detection.mlmodel
 name: __mlspl_unusual_commandline_detection
-case_sensitive_match: 'false'
+date: 2024-12-23
+version: 2
+id: e340177d-f2c5-4cb7-8b13-9f484934f648
+author: Splunk Threat Research Team
+lookup_type: mlmodel
+description: An MLTK model for detecting malicious commandlines
+case_sensitive_match: false
 min_matches: 1
-default_match: 'false'
+default_match: false
diff --git a/lookups/ace_access_rights_lookup.yml b/lookups/ace_access_rights_lookup.yml
@@ -1,3 +1,8 @@
+name: ace_access_rights_lookup
+date: 2024-12-23
+version: 2
+id: 26cf3fc4-cee2-431a-9583-c4a404a25275
+author: Splunk Threat Research Team
+lookup_type: csv
 description: A lookup file that will contain translations for AD object ace access rights strings
-filename: ace_access_rights_lookup.csv
-name: ace_access_rights_lookup
+
diff --git a/lookups/ace_flag_lookup.yml b/lookups/ace_flag_lookup.yml
@@ -1,3 +1,7 @@
-description: A lookup file that will contain translations for AD object ace flags strings
-filename: ace_flag_lookup.csv
-name: ace_flag_lookup
+name: ace_flag_lookup
+date: 2024-12-23
+version: 2
+id: 6f4b0d42-5f24-4992-98f9-aebbc7ced9bf
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A lookup file that will contain translations for AD object ace flags strings
diff --git a/lookups/ace_type_lookup.yml b/lookups/ace_type_lookup.yml
@@ -1,3 +1,7 @@
-description: A lookup file that will contain translations for AD object ace type strings
-filename: ace_type_lookup.csv
-name: ace_type_lookup
+name: ace_type_lookup
+date: 2024-12-23
+version: 2
+id: 86e4531f-a37e-430c-9d5f-1447af2bc619
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A lookup file that will contain translations for AD object ace type strings
diff --git a/lookups/advanced_audit_policy_guids.yml b/lookups/advanced_audit_policy_guids.yml
@@ -1,7 +1,12 @@
-description: List of GUIDs associated with Windows advanced audit policies
-filename: advanced_audit_policy_guids.csv
 name: advanced_audit_policy_guids
-default_match: 'false'
-match_type: WILDCARD(GUID)
+date: 2024-12-23
+version: 2
+id: e2581a3a-1254-4b93-ae8f-ccde22362f0c
+author: Splunk Threat Research Team
+lookup_type: csv
+description: List of GUIDs associated with Windows advanced audit policies
+default_match: false
+match_type: 
+- WILDCARD(GUID)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/applockereventcodes.yml b/lookups/applockereventcodes.yml
@@ -1,7 +1,12 @@
-description: A csv of the ID and rule name for AppLocker event codes.
-filename: applockereventcodes.csv
 name: applockereventcodes
-default_match: 'false'
-match_type: WILDCARD(AppLocker_Event_Code)
+date: 2024-12-23
+version: 2
+id: 2fd8cc84-f4c8-4ab6-bd57-596f714a315f
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A csv of the ID and rule name for AppLocker event codes.
+default_match: false
+match_type: 
+- WILDCARD(AppLocker_Event_Code)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/asr_rules.yml b/lookups/asr_rules.yml
@@ -1,7 +1,12 @@
-description: A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.
-filename: asr_rules.csv
 name: asr_rules
-default_match: 'false'
-match_type: WILDCARD(ASR_Rule)
+date: 2024-12-23
+version: 2
+id: 3886d687-ae77-4a61-99eb-e745083e391e
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A csv of the ID and rule name for ASR, Microsoft Attack Surface Reduction rules.
+default_match: false
+match_type: 
+- WILDCARD(ASR_Rule)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/attacker_tools.yml b/lookups/attacker_tools.yml
@@ -1,7 +1,12 @@
-description: A list of tools used by attackers
-filename: attacker_tools.csv
 name: attacker_tools
-default_match: 'false'
-match_type: WILDCARD(attacker_tool_names)
+date: 2024-12-23
+version: 2
+id: 72620fe1-26cb-4cee-a6ee-8c6127056d81
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of tools used by attackers
+default_match: false
+match_type: 
+- WILDCARD(attacker_tool_names)
 min_matches: 1
-case_sensitive_match: 'false'
+case_sensitive_match: false
diff --git a/lookups/aws_service_accounts.yml b/lookups/aws_service_accounts.yml
@@ -1,3 +1,7 @@
-description: A lookup file that will contain AWS Service accounts
-filename: aws_service_accounts.csv
 name: aws_service_accounts
+date: 2024-12-23
+version: 2
+id: 33868b47-48b2-42ad-8acb-0416772ae664
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A lookup file that will contain AWS Service accounts
diff --git a/lookups/brandmonitoring_lookup.yml b/lookups/brandmonitoring_lookup.yml
@@ -1,7 +1,12 @@
-default_match: 'false'
+name: brandMonitoring_lookup
+date: 2024-12-23
+version: 2
+id: 6fff763a-d654-42dc-8e56-92c8e255ac55
+author: Splunk Threat Research Team
+lookup_type: csv
+default_match: false
 description: A file that contains look-a-like domains for brands that you want to
   monitor
-filename: brand_monitoring.csv
-match_type: WILDCARD(domain)
-min_matches: 1
-name: brandMonitoring_lookup
+match_type: 
+- WILDCARD(domain)
+min_matches: 1
diff --git a/lookups/prohibited_processes.yml b/lookups/prohibited_processes.yml
@@ -1,3 +1,7 @@
-description: A list of processes that have been marked as prohibited
-filename: prohibited_processes.csv
 name: prohibited_processes
+date: 2024-12-23
+version: 2
+id: 310910fe-5158-4f87-8e45-9a307b6ffa8c
+author: Splunk Threat Research Team
+lookup_type: csv
+description: A list of processes that have been marked as prohibited
